CVE-2012-0838

Apache Struts 2 < 2.2.3.1 - Remote Code Execution via OGNL Expression Evaluation

Title source: llm
STIX 2.1

Description

Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry third-party-advisory x_refsource_jvndb
http://jvndb.jvn.jp/jvndb/JVNDB-2012-000012
Vendor Advisory x_refsource_confirm
http://struts.apache.org/2.3.1.2/docs/s2-007.html
Issue Tracking, Vendor Advisory x_refsource_confirm
https://issues.apache.org/jira/browse/WW-3668
Third Party Advisory, VDB Entry third-party-advisory x_refsource_jvn
http://jvn.jp/en/jp/JVN79099262/index.html

Scores

EPSS 0.1388
EPSS Percentile 96.1%

Details

CWE
CWE-20
Status published
Products (3)
apache/struts 2.0.0 - 2.2.3
org.apache.struts/struts2-core 0 - 2.2.3.1Maven
org.apache.struts.xwork/xwork-core 0 - 2.2.3.1Maven
Published Mar 02, 2012
Tracked Since Feb 18, 2026