CVE-2012-0391
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- January 08, 2012
- Published Date
- January 08, 2012
- Last Updated
- February 10, 2025
- Vendor
- n/a
- Product
- n/a
- Description
- The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
CVSS Scores
SSVC Information
- Exploitation
- active
- Automatable
- Yes
- Technical Impact
- total
Exploit Status
- Exploited in the Wild
- Yes (added 2022-01-21 00:00:00 UTC) Source
References
http://www.exploit-db.com/exploits/18329
http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html
http://struts.apache.org/2.x/docs/version-notes-2311.html
http://struts.apache.org/2.x/docs/s2-008.html
https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt
https://issues.apache.org/jira/browse/WW-3668
http://secunia.com/advisories/47393
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| CISA | 2022-01-21 00:00:00 UTC |
Scanner Integrations
| Scanner | URL | Date Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb | 2025-04-29 11:01:23 UTC |
Potential Proof of Concepts
Warning: These PoCs have not been tested and could contain malware. Use at your own risk.
struts_code_exec_exception_delegator
Type: metasploit • Created: Unknown
Metasploit module for CVE-2012-0391