Apache Struts < 2.3.1.1 Multiple Vulnerabilities

High Nessus Plugin ID 143125

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 7.4

Synopsis

A web application running on the remote host uses a Java framework that is affected by multiple vulnerabilities.

Description

The version of Apache Struts running on the remote host is prior to 2.3.1.1. It, therefore, affected by multiple vulnerabilities:

- The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method. (CVE-2012-0392)

- Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands. (CVE-2011-3923)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Apache Struts version 2.3.1.1 or later

See Also

https://cwiki.apache.org/confluence/display/WW/S2-008

Plugin Details

Severity: High

ID: 143125

File Name: struts_2_3_1_1_real.nasl

Version: 1.2

Type: combined

Agent: windows, macosx, unix

Family: Misc.

Published: 2020/11/20

Updated: 2020/11/24

Dependencies: 99671, 122235, 11936, 73943

Risk Information

Risk Factor: High

VPR Score: 7.4

CVSS Score Source: CVE-2012-0392

CVSS v2.0

Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSS v3.0

Base Score: 8.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:apache:struts

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2012/01/02

Vulnerability Publication Date: 2012/01/02

Exploitable With

CANVAS (White_Phosphorus)

Metasploit (Apache Struts ParametersInterceptor Remote Code Execution)

Elliot (Apache-Struts ParameterInterceptor < 2.3.1.2 RCE Windows)

Reference Information

CVE: CVE-2011-3923, CVE-2012-0392