Improper Input Validation in com.opensymphony:xwork

CVE-2012-0838

com.opensymphony:xwork
com.opensymphony:xwork-core
opensymphony:xwork
opensymphony:xwork-2.0-beta
org.apache.struts:struts2-core
org.apache.struts.xwork:xwork-core

High

10/10

Summary

Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.

Access Complexity: LOW
AccessVector: NETWORK
Authentication: NONE
Integrity Impact: COMPLETE
Confidentiality Impact: COMPLETE
Availability Impact: COMPLETE

CWE-20 - Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

Advisory
Issue

Advisory Timeline

Published Mar 02, 2012

Improper Input Validation in com.opensymphony:xwork

CVE-2012-0838

Summary

CWE-20 - Improper Input Validation

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS