CVE-2022-22012 is a vulnerability that affects the popular open-source software suite, Apache Struts. The flaw resides in the core component of the software, allowing attackers to remotely execute malicious code on affected servers. The vulnerability was given a severity rating of 9.8 out of 10 by the Common Vulnerability Scoring System (CVSS) due to its potential impact on confidentiality, integrity, and availability.
The vulnerability was discovered in early May 2022 and publicly disclosed on June 14th, 2022. An attacker who successfully exploits this vulnerability can perform arbitrary code execution with the privileges of the user running the affected application. This could lead to complete control over the affected server, data theft, and potentially allow attackers to pivot to other systems on the network.
As Apache Struts is widely used across various industries and government agencies, the vulnerability poses a significant risk to organizations that use the software. As soon as the vulnerability was made public, Apache released patches to address the issue, and organizations were advised to apply the updates immediately to prevent exploitation. However, given the critical nature of the vulnerability, it is likely that attackers had already exploited the flaw before the patch was released.