CVE-2017-12611: Apache Struts 2.0.1 uses an unintentional expression in a Freemarker tag instead of string literal
9.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.99933%
CWE
Published
10/16/2018
Updated
1/4/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.struts:struts2-core | maven | >= 2.0.1, <= 2.3.33 | 2.3.34 |
org.apache.struts:struts2-core | maven | >= 2.5.0, <= 2.5.10.1 | 2.5.11 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from insecure Freemarker configuration in Apache Struts. The commit diff shows the critical fix was adding 'configuration.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER)' in the createConfiguration
method. Prior to this, the absence of a secure class resolver allowed malicious OGNL expressions in Freemarker tags to trigger unintended class instantiation. This aligns with the CWE-20 (Improper Input Validation) as the system didn't properly validate
/sanitize expression inputs in template processing.