Apache Struts's CookieInterceptor component does not use the parameter-name whitelist

Description

The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Source code
Browse source ↗
Published (advisory)
2022-05-04 00:29:43 UTC
Updated
2023-12-27 20:13:28 UTC
GitHub reviewed
2023-12-27 20:13:27 UTC
NVD published
2012-01-08

EPSS Score

Score Percentile
85.10% 99.34%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

Credits

  • sunSUNQ (analyst)

Affected packages (2)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
maven org.apache.struts:struts2-core < 2.2.3.1 2.2.3.1
maven org.apache.struts.xwork:xwork-core < 2.2.3.1 2.2.3.1

References

cvelogic Threat Intelligence