Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oeHFxLXc0bXItbWM2Ms3e2A
Apache Struts's ParameterInterceptor component does not prevent access to public constructors
The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.
Permalink: https://github.com/advisories/GHSA-hxqq-w4mr-mc62JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oeHFxLXc0bXItbWM2Ms3e2A
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: about 2 months ago
Identifiers: GHSA-hxqq-w4mr-mc62, CVE-2012-0393
References:
- https://nvd.nist.gov/vuln/detail/CVE-2012-0393
- http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html
- http://struts.apache.org/2.x/docs/s2-008.html
- http://struts.apache.org/2.x/docs/version-notes-2311.html
- http://www.exploit-db.com/exploits/18329
- https://github.com/apache/struts/commit/25e50069d60434a30395e3a98357ffba2bed427e
- https://web.archive.org/web/20120612142634/https://sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt
- https://github.com/apache/struts/commit/9cad25f258bb2629d263f828574d2671366c238d
- https://web.archive.org/web/20140723153720/http://secunia.com/advisories/47393
- https://github.com/advisories/GHSA-hxqq-w4mr-mc62
Blast Radius: 0.0
Affected Packages
maven:org.apache.struts:struts2-core
Dependent packages: 194Dependent repositories: 6,183
Downloads:
Affected Version Ranges: < 2.3.1.1
Fixed in: 2.3.1.1
All affected versions:
All unaffected versions: 2.0.5, 2.0.6, 2.0.8, 2.0.9, 2.0.11, 2.0.12, 2.0.14, 2.1.2, 2.1.6, 2.1.8, 2.2.1, 2.2.3, 2.3.1, 2.3.3, 2.3.4, 2.3.7, 2.3.8, 2.3.12, 2.3.14, 2.3.15, 2.3.16, 2.3.20, 2.3.24, 2.3.28, 2.3.29, 2.3.30, 2.3.31, 2.3.32, 2.3.33, 2.3.34, 2.3.35, 2.3.36, 2.3.37, 2.5.1, 2.5.2, 2.5.5, 2.5.8, 2.5.10, 2.5.12, 2.5.13, 2.5.14, 2.5.16, 2.5.17, 2.5.18, 2.5.20, 2.5.22, 2.5.25, 2.5.26, 2.5.27, 2.5.28, 2.5.29, 2.5.30, 2.5.31, 2.5.32, 2.5.33, 6.0.0, 6.0.3, 6.1.1, 6.1.2, 6.2.0, 6.3.0, 6.4.0
maven:org.apache.struts.xwork:xwork-core
Dependent packages: 59Dependent repositories: 484
Downloads:
Affected Version Ranges: < 2.2.3.1
Fixed in: 2.2.3.1
All affected versions:
All unaffected versions: 2.2.1, 2.2.3, 2.3.1, 2.3.3, 2.3.4, 2.3.7, 2.3.8, 2.3.12, 2.3.14, 2.3.15, 2.3.16, 2.3.20, 2.3.24, 2.3.28, 2.3.29, 2.3.30, 2.3.31, 2.3.32, 2.3.33, 2.3.34, 2.3.35, 2.3.36, 2.3.37