Detections
Analytics

Apache Struts 2.0.0 < 2.3.18 multiple vulnerabilities - Remote command execution and arbitrary file overwrite, Strict DMI does not work correctly(S2-008)

critical Nessus Plugin ID 279485

Language:

Synopsis

Apache Struts installed on the remote host is affected by multiple vulnerabilities - Remote command execution and arbitrary file overwrite, Strict DMI does not work correctly

Description

The version of Apache Struts installed on the remote host is prior to 2.3.18. It is, therefore, affected by multiple vulnerabilities as referenced in the S2-008 advisory.

 - The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter. (CVE-2012-0391)

 - The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method. (CVE-2012-0392)

 - The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object. (CVE-2012-0393)

 - The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not a security vulnerability itself. (CVE-2012-0394)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Apache Struts version 2.3.18 or later.

See Also

https://cwiki.apache.org/confluence/display/WW/S2-008

Plugin Details

Severity: Critical

ID: 279485

File Name: struts_S2-008.nasl

Version: 1.2

Type: local

Agent: windows, macosx, unix

Family: Misc.

Published: 12/21/2025

Updated: 2/20/2026

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2012-0391

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apache:struts

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 1/2/2012

CISA Known Exploited Vulnerability Due Dates: 7/21/2022

Exploitable With

CANVAS (D2ExploitPack)

Core Impact

Metasploit (Apache Struts Remote Command Execution)

Elliot (Apache-Struts ExceptionDelegator < 2.3.1.1 RCE Linux)

Reference Information

CVE: CVE-2012-0391, CVE-2012-0392, CVE-2012-0393, CVE-2012-0394