CVE-2012-0838
Apache Struts 2 < 2.2.3.1 - Remote Code Execution via OGNL Expression Evaluation
Title source: llmDescription
Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.
References (4)
Core 4
Core References
Third Party Advisory, VDB Entry third-party-advisory
x_refsource_jvndb
http://jvndb.jvn.jp/jvndb/JVNDB-2012-000012
Vendor Advisory x_refsource_confirm
http://struts.apache.org/2.3.1.2/docs/s2-007.html
Issue Tracking, Vendor Advisory x_refsource_confirm
https://issues.apache.org/jira/browse/WW-3668
Third Party Advisory, VDB Entry third-party-advisory
x_refsource_jvn
http://jvn.jp/en/jp/JVN79099262/index.html
Scores
EPSS
0.1388
EPSS Percentile
96.1%
Details
CWE
CWE-20
Status
published
Products (3)
apache/struts
2.0.0 - 2.2.3
org.apache.struts/struts2-core
0 - 2.2.3.1Maven
org.apache.struts.xwork/xwork-core
0 - 2.2.3.1Maven
Published
Mar 02, 2012
Tracked Since
Feb 18, 2026