The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.
| Score | Percentile |
|---|---|
| 85.10% | 99.34% |
No CVSS scores in this advisory.
| Type | Value |
|---|---|
| GHSA | GHSA-2ppp-xj34-vvf7 ↗ |
| CVE | CVE-2012-0392 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| maven | org.apache.struts:struts2-core | < 2.2.3.1 | 2.2.3.1 | — |
| maven | org.apache.struts.xwork:xwork-core | < 2.2.3.1 | 2.2.3.1 | — |