CVE-2012-0391 – org.apache.struts.xwork:xwork-core

Package

Manager: maven
Name: org.apache.struts.xwork:xwork-core
Vulnerable Version: >=0 <2.2.3.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.90887 pctl0.99613

Details

Apache Struts Remote Java Code Execution The `ExceptionDelegator` component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.

Metadata

Created: 2022-05-04T00:29:43Z
Modified: 2023-12-27T16:29:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4wrr-9h5r-m92w/GHSA-4wrr-9h5r-m92w.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-4wrr-9h5r-m92w
Finding: F184
Auto approve: 1