Apache Struts <2.3.1.1 - Remote Code Execution (CVE-2012-0394)

Apache Struts before 2.3.1.1 is susceptible to remote code execution. When developer mode is used in the DebuggingInterceptor component, a remote attacker can execute arbitrary OGNL commands via unspecified vectors, which can allow for execution of malware, obtaining sensitive information, modifying data, and/or gaining full control over a compromised system without entering necessary credentials.. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself."

Apache Struts 2.3.1.1 之前版本易受远程代码执行漏洞影响。当调试拦截器组件中的开发者模式被启用时，远程攻击者可以通过未指定的途径执行任意 OGNL 命令，从而可能实现恶意软件的执行、敏感信息的窃取、数据的篡改，以及/或对受侵害系统的完全控制，而无需输入必要的凭证。请注意：供应商将该行为描述为并非‘本身即为安全漏洞’。