Описание
Apache Struts's ParameterInterceptor component does not prevent access to public constructors
The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2012-0393
- https://github.com/apache/struts/commit/25e50069d60434a30395e3a98357ffba2bed427e
- https://github.com/apache/struts/commit/9cad25f258bb2629d263f828574d2671366c238d
- https://web.archive.org/web/20120612142634/https://sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt
- https://web.archive.org/web/20140723153720/http://secunia.com/advisories/47393
- http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html
- http://struts.apache.org/2.x/docs/s2-008.html
- http://struts.apache.org/2.x/docs/version-notes-2311.html
- http://www.exploit-db.com/exploits/18329
Пакеты
org.apache.struts:struts2-core
< 2.3.1.1
2.3.1.1
org.apache.struts.xwork:xwork-core
< 2.2.3.1
2.2.3.1
EPSS
CVE ID
Связанные уязвимости
The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.
The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.
The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.
The ParameterInterceptor component in Apache Struts before 2.3.1.1 doe ...
Уязвимость компонента ParameterInterceptor программной платформы Apache Struts, позволяющая нарушителю записывать произвольные файлы в систему
EPSS