CVE-2012-0391
Published: 08 January 2012
Summary
CVE-2012-0391 is a critical-severity Code Injection (CWE-94) vulnerability in Apache Struts. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is an instance of improper control of code generation in the ExceptionDelegator component of Apache Struts versions prior to 2.2.3.1. During exception handling triggered by mismatched data types on bean properties, the component evaluates supplied parameter values as OGNL expressions, enabling injection of arbitrary Java code. The issue is tracked as CWE-94 and carries a CVSS 3.1 base score of 9.8.
Remote attackers without authentication can exploit the flaw by submitting a crafted HTTP parameter that causes a type-conversion exception; successful exploitation results in execution of attacker-supplied Java code on the server. Public proof-of-concept material is indexed on Exploit-DB.
Advisories referenced in the Struts 2.2.3.1 release notes and security bulletin S2-008 direct users to upgrade to version 2.2.3.1 or later, which removes the unsafe OGNL evaluation path in ExceptionDelegator.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-2464
Vulnerability details
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
- CWE(s)
- KEV Date Added
- 21 January 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the crafted HTTP parameter from being interpreted as an OGNL expression by enforcing validation of all input values before they reach ExceptionDelegator.
Requires prompt application of the Struts 2.2.3.1 patch that removes the unsafe OGNL evaluation path in ExceptionDelegator.
Ensures exception-handling paths do not expose or evaluate untrusted data as code, addressing the type-mismatch trigger used by the CVE.