CyberSec.Space Logo
CVEブラウザに戻る

CVE-2012-0391

Known Exploited (CISA KEV)CRITICAL
9.8
CVSS Severity Score
EPSS Score88.4900%
EPSS Percentile94.69th
Published2012年1月8日
Last Modified2026年4月22日

Vulnerability Description

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.

Affected Platforms (CPE)

📦
Apache

Struts

< 2.2.3.1

References & Advisories

🔗 http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html
🔗 http://secunia.com/advisories/47393
🔗 http://struts.apache.org/2.x/docs/s2-008.html
🔗 http://struts.apache.org/2.x/docs/version-notes-2311.html
🔗 http://www.exploit-db.com/exploits/18329
🔗 https://issues.apache.org/jira/browse/WW-3668
🔗 https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt
🔗 http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html

関連する脆弱性情報

CVE-2013-431610.0

Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.

CVE-2012-083810.0

Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows re...

CVE-2020-175309.8

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software :...

CVE-2021-440779.8

Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulner...