CVE-2012-0394 – org.apache.struts.xwork:xwork-core

Package

Manager: maven
Name: org.apache.struts.xwork:xwork-core
Vulnerable Version: >=0 <2.3.18

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:H/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.93732 pctl0.99846

Details

Apache Struts's DebuggingInterceptor component allows remote code execution in developer mode The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself."

Metadata

Created: 2022-05-04T00:29:43Z
Modified: 2024-03-05T19:29:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-hmvj-gc9q-mg9p/GHSA-hmvj-gc9q-mg9p.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-hmvj-gc9q-mg9p
Finding: F422
Auto approve: 1