Description

Apache Struts2 is a web framework for creating Java web applications. It is using the OpenSymphony XWork and OGNL libraries. By default, XWork's ParametersInterceptor treats parameter names provided to actions as OGNL expressions. A OGNL (Object Graph Navigation Language) expression is a limited language similar to Java that is tokenized and parsed by the OGNL parser which invokes appropriate Java methods. Under certain circumstances it's possible to send custom OGNL statements and execute malicious Java code.

Remediation

Upgrade to Struts version 2.3.1.1

References

Multiple critical vulnerabilities in Apache Struts2

22 January 2011 - Struts 2.3.1.2 General Availability Release

Related Vulnerabilities

MySQL CVE-2021-2002 Vulnerability (CVE-2021-2002)

XOOPS Other Vulnerability (CVE-2005-3680)

MyBB Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2012-5909)

SugarCRM Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2019-17306)

TCExam Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-5750)

Severity

High

Classification

CVE-2012-0393 CWE-264 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Code Execution Known Vulnerabilities