Apache Struts 2 ExceptionDelegator Arbitrary Remote Command Execution

high Nessus Plugin ID 69240

Synopsis

The remote web server contains a web application that uses a Java framework that is affected by a remote command execution vulnerability.

Description

The remote web application appears to use Struts 2, a web framework that utilizes OGNL (Object-Graph Navigation Language) as an expression language. Due to an error in the way that the ExceptionDelegator component handles mismatched data types, an unauthenticated, remote attacker can execute arbitrary commands on the remote host by sending a specially crafted request order. This flaw is due to the ExceptionDelegator interpreting parameter values as OGNL expressions when there is a conversion error.

Note that this plugin will only report the first vulnerable instance of a Struts 2 application.

Solution

Upgrade to version 2.2.3.1 or later.

See Also

http://www.nessus.org/u?828dc6d2

http://struts.apache.org/docs/s2-007.html

http://struts.apache.org/docs/s2-008.html

Plugin Details

Severity: High

ID: 69240

File Name: struts_exceptiondelegator_command_execution.nasl

Version: 1.23

Type: remote

Family: CGI abuses

Published: 8/7/2013

Updated: 7/17/2023

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2012-0391

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apache:struts

Required KB Items: Settings/enable_web_app_tests

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 9/5/2011

Vulnerability Publication Date: 8/5/2011

CISA Known Exploited Vulnerability Due Dates: 7/21/2022

Exploitable With

CANVAS (D2ExploitPack)

Metasploit (Apache Struts Remote Command Execution)

Reference Information

CVE: CVE-2012-0391