GHSA-8m5q-crqq-6pmf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8m5q-crqq-6pmf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-8m5q-crqq-6pmf/GHSA-8m5q-crqq-6pmf.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-8m5q-crqq-6pmf
- Aliases
-
- CVE-2012-1592
- Published
- 2022-04-23T00:40:23Z
- Modified
- 2023-11-08T03:57:04.028343Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Unrestricted Upload of File with Dangerous Type in Apache Struts2
- Details
-
A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files. A patch exists as of version 2.5.22.
- Database specific
{ "nvd_published_at": "2019-12-05T21:15:00Z", "github_reviewed_at": "2022-07-13T19:27:31Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-434" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2012-1592
- https://access.redhat.com/security/cve/cve-2012-1592
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1592
- https://github.com/apache/struts
- https://github.com/apache/struts/blob/master/core/src/main/resources/struts-default.xml#L39-L76
- https://issues.apache.org/jira/browse/WW-5055
- https://lists.apache.org/thread.html/r348ed455a140273c40b974f0615dee692f7c9b26c6de2118b4280ef2%40%3Cissues.struts.apache.org%3E
- https://lists.apache.org/thread.html/r348ed455a140273c40b974f0615dee692f7c9b26c6de2118b4280ef2@%3Cissues.struts.apache.org%3E
- https://lists.apache.org/thread.html/r593ebb2f4c95b064e6901fd273eff256c493db952bdb484395948ffc%40%3Cissues.struts.apache.org%3E
- https://lists.apache.org/thread.html/r593ebb2f4c95b064e6901fd273eff256c493db952bdb484395948ffc@%3Cissues.struts.apache.org%3E
- https://lists.apache.org/thread.html/r93c4e3f6cb138cd117c739714f07e47af547183ba099ba46be2b2a5b%40%3Cissues.struts.apache.org%3E
- https://lists.apache.org/thread.html/r93c4e3f6cb138cd117c739714f07e47af547183ba099ba46be2b2a5b@%3Cissues.struts.apache.org%3E
- https://seclists.org/bugtraq/2012/Mar/110
- https://security-tracker.debian.org/tracker/CVE-2012-1592
- https://struts.apache.org/security/#internal-security-mechanism
- https://www.openwall.com/lists/oss-security/2012/03/28/12
Affected packages
Maven / org.apache.struts:struts2-core
Package
- Name
- org.apache.struts:struts2-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.struts/struts2-core
Affected versions
2.*
2.0.5
2.0.6
2.0.8
2.0.9
2.0.11
2.0.11.1
2.0.11.2
2.0.12
2.0.14
2.1.2
2.1.6
2.1.8
2.1.8.1
2.2.1
2.2.1.1
2.2.3
2.2.3.1
2.3.1
2.3.1.1
2.3.1.2
2.3.3
2.3.4
2.3.4.1
2.3.7
2.3.8
2.3.12
2.3.14
2.3.14.1
2.3.14.2
2.3.14.3
2.3.15
2.3.15.1
2.3.15.2
2.3.15.3
2.3.16
2.3.16.1
2.3.16.2
2.3.16.3
2.3.20
2.3.20.1
2.3.20.3
2.3.24
2.3.24.1
2.3.24.3
2.3.28
2.3.28.1
2.3.29
2.3.30
2.3.31
2.3.32
2.3.33
2.3.34
2.3.35
2.3.36
2.3.37
2.5-BETA1
2.5-BETA2
2.5-BETA3
2.5
2.5.1
2.5.2
2.5.5
2.5.8
2.5.10
2.5.10.1
2.5.12
2.5.13
2.5.14
2.5.14.1
2.5.16
2.5.17
2.5.18
2.5.20