CVE-2012-0394
CVE-2012-0394
Vexday Risk Score
60Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
Exploit maturity
Functional exploit
Automatable exploit available (Nuclei/Metasploit).
CVSS —EPSS 74.4%KEV nãoPoC públicaNuclei simMetasploit simPatch —
Lifecycle
06 Jan 2012Metasploit module available
06 Jan 2012Public PoC
08 Jan 2012Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself.
Affected products
n/a · n/apublic PoCs found — 4
cve_referencewww.exploit-db.com/exploits/18329unverifiedcve_referencewww.exploit-db.com/exploits/31434unverifiedexploitdbwww.exploit-db.com/exploits/31434unverifiedexploitdbwww.exploit-db.com/exploits/18329unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
References
http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.htmlhttp://struts.apache.org/2.x/docs/s2-008.htmlhttp://struts.apache.org/2.x/docs/version-notes-2311.htmlhttps://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txthttp://www.exploit-db.com/exploits/18329http://www.exploit-db.com/exploits/31434http://www.osvdb.org/78276