What is CVE-2012-0392?

CVE-2012-0392 is a vulnerability in Apache Struts. Published 2012-01-08.

Is CVE-2012-0392 known to be exploited?

10 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Struts

CVE-2012-0392

The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution throu…

EPSS: 0.903 (99.6th percentile) — read the EPSS interpretation.

Affected products

Apache Struts
N/a — versions n/a

Public proof-of-concept exploits

References

18329 (Exploit, exploit, Third Party Advisory, VDB Entry, x_refsource_EXPLOIT-DB)
20120105 SEC Consult SA-20120104-0 :: Multiple critical vulnerabilities in Apache Struts2 (mailing-list, x_refsource_BUGTRAQ, Broken Link)
cve@mitre.org (x_refsource_CONFIRM, Release Notes, Vendor Advisory)
cve@mitre.org (x_refsource_CONFIRM, Vendor Advisory)
cve@mitre.org (x_refsource_MISC, Broken Link)
[dailydave] 20120106 Apache Struts (mailing-list, x_refsource_MLIST, Exploit, Third Party Advisory)
47393 (x_refsource_SECUNIA, Third Party Advisory, third-party-advisory)

Frequently asked questions

What is CVE-2012-0392?: CVE-2012-0392 is a vulnerability in Apache Struts. Published 2012-01-08.
Is CVE-2012-0392 known to be exploited?: 10 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.