6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.945 High
EPSS
Percentile
99.0%
Name | strutsCodeInjection |
---|---|
CVE | CVE-2012-0394 Exploit Pack |
VENDOR: Apache | |
Notes: | |
CVE-2012-0394 | |
- Struts <= 2.2.1.1 (ExceptionDelegator) |
When an exception occurs while applying parameter values to properties, the
value is evaluated as OGNL expression which can be abused to accomplish Java code execution.
- Struts <= 2.3.1 (CookieInterceptor)
Again an OGNL expression can be abused to accomplish arbitrary Java code execution
by means of a crafted cookie.
CVE-2010-1870
- Struts <= 2.2.0 (Xworks filter bypass)
Unicode characters can be used to bypass character restrictions on OGNL expressions.
Repeatability: Infinite
References:
CVE-2012-0394
http://struts.apache.org/2.x/docs/s2-008.html
https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt
CVE-2010-1870
http://seclists.org/fulldisclosure/2010/Jul/183
http://struts.apache.org/2.2.1/docs/s2-005.html
CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0394
Compatibility:
Struts <= 2.2.1.1 (ExceptionDelegator)
Struts <= 2.3.1 (CookieInterceptor)
Struts <= 2.2.0 (XworksFilterBypass)