CVE-2012-0392 — Apache Struts's CookieInterceptor component does not use the parameter-name whit

Description

The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.

How to fix CVE-2012-0392

To remediate CVE-2012-0392, upgrade the affected package to a fixed version below.

Maven/org.apache.struts:struts2-core—upgrade to 2.2.3.1 or later
Maven/org.apache.struts.xwork:xwork-core—upgrade to 2.2.3.1 or later

Is CVE-2012-0392 being exploited?

Likely — EPSS is 90.3%, placing CVE-2012-0392 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (2)

from 0, < 2.2.3.1
from 0, < 2.2.3.1

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-0392
PATCHgithub.com/apache/struts
WEBarchives.neohapsis.com/archives/bugtraq/2012-01/0031.html
WEBgithub.com/apache/struts/commit/25e50069d60434a30395e3a98357ffba2bed427e