Apache Struts2 Showcase Arbitrary Java Method Execution Vulnerability Network Vulnerability

Summary

This host is running Apache Struts Showcase and is prone to java method execution vulnerability.

Impact

Successful exploitation could allow an attacker to execute arbitrary java method. Further that results to disclose environment variables or cause a denial of service or an arbitrary OS command can be executed. Impact Level: Application

Solution

Upgrade Apache Struts2 to 2.2.3.1 or later, For updates refer to http://struts.apache.org/download.cgi

Insight

The flaw is due to an improper conversion in OGNL expression if a non string property is contained in action.

Affected

Apache Struts2 (Showcase) version 2.x to 2.2.3

References

http://jvn.jp/en/jp/JVN79099262/index.html
http://jvndb.jvn.jp/en/contents/2012/JVNDB-2012-000012.html
https://issues.apache.org/jira/browse/WW-3668

Updated on 2015-03-25

Severity

Classification

CVE CVE-2012-0838

CVSS	Base Score: 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C

Related Vulnerabilities

Apache Archiva Multiple Remote Command Execution Vulnerabilities
AlienVault Open Source SIEM (OSSIM) 'timestamp' Parameter Directory Traversal Vulnerability
AproxEngine Multiple Remote Input Validation Vulnerabilities
AdaptBB Multiple Input Validation Vulnerabilities
ArticleFR CMS Multiple Vulnerabilities - Jan15

Apache Struts2 Showcase Arbitrary Java Method Execution vulnerability

Take action and discover your vulnerabilities