Name | strutsCodeInjection |
CVE | CVE-2012-0394 |
Exploit Pack | CANVAS |
Description | Struts Code Injector |
Notes | CVE Name: CVE-2012-0394 VENDOR: Apache Notes: CVE-2012-0394 - Struts <= 2.2.1.1 (ExceptionDelegator) When an exception occurs while applying parameter values to properties, the value is evaluated as OGNL expression which can be abused to accomplish Java code execution. - Struts <= 2.3.1 (CookieInterceptor) Again an OGNL expression can be abused to accomplish arbitrary Java code execution by means of a crafted cookie. CVE-2010-1870 - Struts <= 2.2.0 (Xworks filter bypass) Unicode characters can be used to bypass character restrictions on OGNL expressions. Repeatability: Infinite References: CVE-2012-0394 http://struts.apache.org/2.x/docs/s2-008.html https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt CVE-2010-1870 http://seclists.org/fulldisclosure/2010/Jul/183 http://struts.apache.org/2.2.1/docs/s2-005.html CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0394 Compatibility: Struts <= 2.2.1.1 (ExceptionDelegator) Struts <= 2.3.1 (CookieInterceptor) Struts <= 2.2.0 (XworksFilterBypass) |
Learn more about the CANVAS Exploit Pack here: CANVAS |