Homepage
About Snyk

Arbitrary Code Execution Affecting com.opensymphony:xwork-core package, versions [2.1.4,2.1.6)

0.0
high

Snyk CVSS

    Attack Complexity Low
    User Interaction Required
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    Exploit Maturity Mature
    EPSS 29.32% (97th percentile)
Expand this section
NVD
8.8 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-COMOPENSYMPHONY-30325
  • published 20 Dec 2011
  • disclosed 20 Dec 2011
  • credit Johannes Dahse, Bruce Phillips
Report a new vulnerability Found a mistake?

Introduced: 20 Dec 2011

CVE-2012-0391 Open this link in a new tab
CWE-20 Open this link in a new tab
CWE-94 Open this link in a new tab

Overview

com.opensymphony:xwork-core is an command-pattern framework that is used to power WebWork as well as other applications. XWork provides an Inversion of Control container, a powerful expression language, data type conversion, validation, and pluggable configuration.

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.