CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2012-0391

CVSS 9.8v3.1pub. 2012-01-08upd. 2026-04-22

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Struts

    APP
    Apache
    < 2.2.3.1

CISA KEV — detailsi

Vendori
Apache
Producti
Struts 2
Added to KEVi
January 21, 2022
Remediation deadline (US Federal)i
July 21, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

The ExceptionDelegator component in Apache Struts 2 before 2.2.3.1 contains an improper input validation vulnerability that allows for remote code execution.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 21 lipca 2022
CWE
References

Related vulnerabilities

CVE-2020-17530CRITICAL9.8⚠ KEVten sam produkt

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution....

CVE-2017-9791CRITICAL9.8⚠ KEVten sam produkt

The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field v...

CVE-2017-5638CRITICAL9.8⚠ KEVten sam produkt

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect ex...

CVE-2013-2251CRITICAL9.8⚠ KEVten sam produkt

Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a paramet...

CVE-2024-53677CRITICAL9.5PL ✓ten sam produkt

Apache Struts: RCE przez podatność path traversal przy upload plików