CVE-2012-0393

Apache Struts <2.3.1.1 - Code Injection

Title source: llm

Description

The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.

Exploits (1)

exploitdb WORKING POC VERIFIED

by SEC Consult · textwebappsmultiple

https://www.exploit-db.com/exploits/18329

View Code ZIP pw:eip

References (6)

[Exploit, Third Party Advisory] http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html

[Third Party Advisory] http://secunia.com/advisories/47393

[Vendor Advisory] http://struts.apache.org/2.x/docs/s2-008.html

[Vendor Advisory] http://struts.apache.org/2.x/docs/version-notes-2311.html

[Exploit, Third Party Advisory] http://www.exploit-db.com/exploits/18329

[Exploit, Third Party Advisory] https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt

Scores

EPSS 0.5854

EPSS Percentile 98.2%

Details

CWE

CWE-264

Status published

Products (3)

apache/struts 2.1.0 - 2.3.1.1

org.apache.struts/struts2-core 0 - 2.3.1.1Maven

org.apache.struts.xwork/xwork-core 0 - 2.2.3.1Maven

Published Jan 08, 2012

Tracked Since Feb 18, 2026