Critical severity9.8CISA KEVNVD Advisory· Published Jan 8, 2012· Updated Jun 16, 2026
CVE-2012-0391
CVE-2012-0391
Description
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.struts:struts2-coreMaven | < 2.2.3.1 | 2.2.3.1 |
org.apache.struts.xwork:xwork-coreMaven | < 2.2.3.1 | 2.2.3.1 |
Affected products
3- ghsa-coords2 versions
< 2.2.3.1+ 1 more
- (no CPE)range: < 2.2.3.1
- (no CPE)range: < 2.2.3.1
Patches
Vulnerability mechanics
References
13- archives.neohapsis.com/archives/bugtraq/2012-01/0031.htmlnvdBroken LinkExploitWEB
- www.exploit-db.com/exploits/18329nvdExploitWEB
- www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txtnvdBroken LinkExploitWEB
- secunia.com/advisories/47393nvdVendor AdvisoryWEB
- struts.apache.org/2.x/docs/s2-008.htmlnvdVendor AdvisoryWEB
- struts.apache.org/2.x/docs/version-notes-2311.htmlnvdVendor AdvisoryWEB
- github.com/advisories/GHSA-4wrr-9h5r-m92wghsaADVISORY
- issues.apache.org/jira/browse/WW-3668nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2012-0391ghsaADVISORY
- github.com/apache/struts/commit/25e50069d60434a30395e3a98357ffba2bed427eghsaWEB
- github.com/apache/struts/commit/5f54b8d087f5125d96838aafa5f64c2190e6885bghsaWEB
- github.com/apache/struts/commit/b4265d369dc29d57a9f2846a85b26598e83f3892ghsaWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government ResourceWEB
News mentions
0No linked articles in our index yet.