CVE-2012-0391

CVE Database · CVE-2012-0391

CVE-2012-0391

· CRITICALAnalyzed

CVSS v3.1

9.8

EPSS

75.07%

Published

Jan 8, 2012

Modified

Apr 22, 2026

CISA Known Exploited Vulnerability

Added: 2022-01-21 · Due: 2022-07-21

Apply updates per vendor instructions.

Public PoC / Exploit (3)

All weaponized →

Exploit-DBApache Struts 2.2.1.1 - Remote Command Execution (Metasploit)Exploit-DBApache Struts 2 < 2.3.1 - Multiple Vulnerabilities TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-94CWE-94

Affected Products (1)

apache · struts (up to 2.2.3.1)vulnerable

References (15)

http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html

Broken LinkExploit

http://secunia.com/advisories/47393

Vendor Advisory

http://struts.apache.org/2.x/docs/s2-008.html