CVE-2012-1592

Vulnerability

Analysis

CVE-2012-1592 describes a local code execution vulnerability in Apache Struts2. The root cause lies in how the framework processes XSLT files. When the application handles a malformed or specially crafted XSLT file during the upload or transformation process, it fails to properly sanitize the input, leading to arbitrary file upload and execution. This is a file upload validation bypass issue within the Struts2 XSLT result type [1].

Exploitation

Prerequisites

Exploitation requires that the targeted Struts2 application exposes functionality that processes XSLT files, such as an upload feature or a transformation endpoint. The attacker needs local access or the ability to upload files to the server. The attack does not require authentication if the vulnerable endpoint is publicly accessible. Once the attacker provides a malformed XSLT file, the Struts2 framework processes it in an unsafe manner, allowing the attacker to write and then execute arbitrary files on the server [2].

Impact

Successful exploitation grants the attacker the ability to execute arbitrary code in the context of the Struts2 application. This can lead to full server compromise, including data theft, installation of backdoors, and further lateral movement within the network. The vulnerability has a CVSS score of 7.5 (High), reflecting the high impact on confidentiality, integrity, and availability [3].

Mitigation

The vulnerability is addressed in later versions of Apache Struts2. Users are strongly advised to upgrade to a patched release. If upgrading is not immediately possible, the recommendation is to restrict access to the Config Browser Plugin and follow general Struts2 security best practices, such as avoiding the use of incoming, untrusted user input in forced expression evaluation and never exposing JSP files directly [1]. The vulnerability has been known for a long time, and while not currently on the CISA KEV list, it should be remediated promptly.