CyberSec.Space Logo
Back to CVE Browser

CVE-2012-0391

Known Exploited (CISA KEV)CRITICAL
9.8
CVSS Severity Score
EPSS Score88.4900%
EPSS Percentile94.69th
PublishedJan 8, 2012
Last ModifiedApr 22, 2026

Vulnerability Description

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.

Affected Platforms (CPE)

πŸ“¦
Apache

Struts

< 2.2.3.1

References & Advisories

πŸ”— http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html
πŸ”— http://secunia.com/advisories/47393
πŸ”— http://struts.apache.org/2.x/docs/s2-008.html
πŸ”— http://struts.apache.org/2.x/docs/version-notes-2311.html
πŸ”— http://www.exploit-db.com/exploits/18329
πŸ”— https://issues.apache.org/jira/browse/WW-3668
πŸ”— https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt
πŸ”— http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html

Related Vulnerabilities

CVE-2013-431610.0

Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.

CVE-2012-083810.0

Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows re...

CVE-2020-175309.8

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software :...

CVE-2021-440779.8

Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulner...