Apache Struts's CookieInterceptor component does not use the parameter-name whitelist

説明

The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.

基本情報

タイプ
reviewed
深刻度
medium
GitHub 上のアドバイザリ
アドバイザリを開く ↗
リポジトリのアドバイザリ
ソースコード
ソースを見る ↗
公開(アドバイザリ)
2022-05-04 00:29:43 UTC
更新
2023-12-27 20:13:28 UTC
GitHub レビュー済み
2023-12-27 20:13:27 UTC
NVD で公開
2012-01-08

EPSS Score

Score Percentile
85.10% 99.34%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

Credits

  • sunSUNQ (analyst)

Affected packages (2)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
maven org.apache.struts:struts2-core < 2.2.3.1 2.2.3.1
maven org.apache.struts.xwork:xwork-core < 2.2.3.1 2.2.3.1

References

cvelogic Threat Intelligence