HomePentest-Tools.com Logo

Apache Struts2 S2-008 RCE CVE-2012-0392

Severity
CVSSv3 Score
6.8
Vulnerability description

The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.

Risk description

The risk exists that a remote unauthenticated attacker can fully compromise the server to steal confidential information, install ransomware, or pivot to the internal network.

Recommendation

Developers should immediately upgrade to at least Struts 2.3.18.

Codename
Not available
Detectable with
Network Scanner
Scan engine
Nuclei
Exploitable with Sniper
No
CVE Published
Jan 8, 2012
Detection added at
Software Type
Not available
Vendor
Not available
Product
Not available