Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Who should read this

All Struts 2 developers

Impact of vulnerability

Remote command execution and arbitrary file overwrite, Strict DMI does not work correctly

Maximum security rating



Developers should immediately upgrade to at least Struts 2.3.18 or read the following solution instructions carefully for a configuration change to mitigate the vulnerability

Affected Software

Struts 2.0.0 - Struts 2.3.17

Original JIRA Ticket



Johannes Dahse, SEC Consult Vulnerability Lab and Bruce Phillips (blog post)

CVE Identifier

CVE-2012-0391, CVE-2012-0392, CVE-2012-0393, CVE-2012-0394

Original Description

Reported directly to security@struts.a.o and Struts 2 Security Vulnerability - Dynamic Method Invocation