CVE-2012-0391
CRITICAL KEVApache Struts <2.2.3.1 - RCE
Title source: llmDescription
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
Exploits (3)
exploitdb
WORKING POC
VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/18984
exploitdb
WORKING POC
VERIFIED
by SEC Consult · textwebappsmultiple
https://www.exploit-db.com/exploits/18329
metasploit
WORKING POC
EXCELLENT
by Johannes Dahse, Andreas Nusser, juan vazquez, sinn3r, mihi · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb
References (8)
Scores
CVSS v3
9.8
EPSS
0.8832
EPSS Percentile
99.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CISA KEV
2022-01-21
VulnCheck KEV
2021-10-13
InTheWild.io
2022-01-21
ENISA EUVD
EUVD-2022-2464
CWE
CWE-94
Status
published
Products (3)
apache/struts
< 2.2.3.1
org.apache.struts/struts2-core
0 - 2.2.3.1Maven
org.apache.struts.xwork/xwork-core
0 - 2.2.3.1Maven
Published
Jan 08, 2012
KEV Added
Jan 21, 2022
Tracked Since
Feb 18, 2026