Cyber Resilience

CVE-2012-0391

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 08 January 2012

Published
08 January 2012
Modified
22 April 2026
KEV Added
21 January 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8753 99.5th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2012-0391 is a critical-severity Code Injection (CWE-94) vulnerability in Apache Struts. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is an instance of improper control of code generation in the ExceptionDelegator component of Apache Struts versions prior to 2.2.3.1. During exception handling triggered by mismatched data types on bean properties, the component evaluates supplied parameter values as OGNL expressions, enabling injection of arbitrary Java code. The issue is tracked as CWE-94 and carries a CVSS 3.1 base score of 9.8.

Remote attackers without authentication can exploit the flaw by submitting a crafted HTTP parameter that causes a type-conversion exception; successful exploitation results in execution of attacker-supplied Java code on the server. Public proof-of-concept material is indexed on Exploit-DB.

Advisories referenced in the Struts 2.2.3.1 release notes and security bulletin S2-008 direct users to upgrade to version 2.2.3.1 or later, which removes the unsafe OGNL evaluation path in ExceptionDelegator.

EU & UK References

Vulnerability details

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.

CWE(s)
KEV Date Added
21 January 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
struts
≤ 2.2.3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the crafted HTTP parameter from being interpreted as an OGNL expression by enforcing validation of all input values before they reach ExceptionDelegator.

prevent

Requires prompt application of the Struts 2.2.3.1 patch that removes the unsafe OGNL evaluation path in ExceptionDelegator.

prevent

Ensures exception-handling paths do not expose or evaluate untrusted data as code, addressing the type-mismatch trigger used by the CVE.

References