CVE-2012-0392
published 2012-01-08CVE-2012-0392: The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary…
PriorityP268medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
96.79%
99.9th percentile
The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | struts | >= 2.0.0 < 2.3.1 | 2.3.1 |
Detection & IOCsextracted from sources · hover to see the quote
url/devmode.action?debug=command&expression=(%23_memberAccess[%22allowStaticMethodAccess%22]%3Dtrue%2C%23foo%3Dnew%20java.lang.Boolean(%22false%22)%20%2C%23context[%22xwork.MethodAccessor.denyMethodExecution%22]%3D%23foo%[email protected]@toString(@java.lang.Runtime@getRuntime().exec(%27cat%20/etc/passwd%27).getInputStream()))↗
url/Test.action?id='%2b(%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc'))%2b'↗
url/Test.action?debug=command&expression=%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc')↗
cookie(#_memberAccess["allowStaticMethodAccess"]\u003dtrue)(x)=1; x[@java.lang.Runtime@getRuntime().exec('calc')]=1↗
- →Exploit targets the /devmode.action endpoint with the 'debug=command' parameter and an OGNL expression in the 'expression' parameter to achieve RCE; monitor HTTP GET requests to this path. ↗
- →Malicious HTTP Cookie header contains OGNL expressions with '#_memberAccess["allowStaticMethodAccess"]' set to true and direct Runtime.exec() calls; inspect Cookie headers for these patterns. ↗
- →Shodan/FOFA fingerprinting queries identify exposed Struts2 instances; use these to find potentially vulnerable internet-facing assets. ↗
- →The vulnerability is triggered via the CookieInterceptor when cookie names are evaluated as OGNL expressions; look for HTTP requests to Struts .action endpoints accompanied by anomalous Cookie headers containing Java class references. ↗
- ·The vulnerability only applies when the CookieInterceptor is active in the Struts2 configuration; applications not using CookieInterceptor are not affected via the cookie vector. ↗
- ·The devmode.action RCE vector (exploit #3) only applies when the application is running in developer mode; disabling developer mode removes this specific attack surface. ↗
- ·Struts2-core jars were included in Red Hat Fuse Service Works 6.0.0 and Single Sign On 7.3.0+ source packages via a Google Guice import; customers building artefacts from source may be at risk even if the product itself does not actively use Struts2. ↗
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
struts: arbitrary command execution via crafted HTTP Cookie header
vendor_redhat·2011-12-25·CVSS 6.8
CVE-2012-0392 [MEDIUM] struts: arbitrary command execution via crafted HTTP Cookie header
struts: arbitrary command execution via crafted HTTP Cookie header
The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.
Statement: A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While Struts 2 is not actively compiled, shipped, used, or enabled in any Red Hat provided final products, and does not cause any vulnerability in the product, struts2-core jars have been included in some products' source code packages. The inclusion was part of an import of the G
GHSA
Apache Struts's CookieInterceptor component does not use the parameter-name whitelist
ghsa·2022-05-04
CVE-2012-0392 [MEDIUM] Apache Struts's CookieInterceptor component does not use the parameter-name whitelist
Apache Struts's CookieInterceptor component does not use the parameter-name whitelist
The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.
OSV
Apache Struts's CookieInterceptor component does not use the parameter-name whitelist
osv·2022-05-04
CVE-2012-0392 [MEDIUM] Apache Struts's CookieInterceptor component does not use the parameter-name whitelist
Apache Struts's CookieInterceptor component does not use the parameter-name whitelist
The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.
No detection rules found.
Exploit-DB
Apache Struts 2 < 2.3.1 - Multiple Vulnerabilities
exploitdb·2012-01-06
CVE-2012-0394 Apache Struts 2 < 2.3.1 - Multiple Vulnerabilities
Apache Struts 2
title: Multiple critical vulnerabilities in Apache Struts2
product: Apache Struts2
* OpenSymphony XWork
* OpenSymphony OGNL
vulnerable version: 2.3.1 and below
fixed version: 2.3.1.1
impact: critical
homepage: http://struts.apache.org/
found: 2011-11-18
by: Johannes Dahse, Andreas Nusser
SEC Consult Vulnerability Lab
https://www.sec-consult.com
Vendor description:
Apache Struts2 is a web framework for creating Java web applications. It is
using the OpenSymphony XWork and OGNL libraries. By default, XWork's
ParametersInterceptor treats parameter names provided to actions as OGNL
expressions. A OGNL (Object Graph Navigation Language) expression is a limited
language similar to Java that is tokenized and parsed by the OGNL parser which
invokes appropiate Java methods. This al
Nuclei
Apache Struts2 S2-008 RCE
nuclei·CVSS 6.8
CVE-2012-0392 [MEDIUM] Apache Struts2 S2-008 RCE
Apache Struts2 S2-008 RCE
The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.
Template:
id: CVE-2012-0392
info:
name: Apache Struts2 S2-008 RCE
author: pikpikcu
severity: medium
description: The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.
impact: |
Successful exploitation of this vulnerability can lead to remote code execution on the affected server.
remediation: Developers s
Greynoiseio
NoiseLetter September 2025
blogs_greynoiseio
NoiseLetter September 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bugzilla
CVE-2012-0392 struts: arbitrary command execution via crafted HTTP Cookie header
bugzilla·2012-01-11·CVSS 6.8
CVE-2012-0392 [MEDIUM] CVE-2012-0392 struts: arbitrary command execution via crafted HTTP Cookie header
CVE-2012-0392 struts: arbitrary command execution via crafted HTTP Cookie header
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-0392 to
the following vulnerability:
Name: CVE-2012-0392
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0392
Assigned: 20120108
Reference: BUGTRAQ:20120105 SEC Consult SA-20120104-0 :: Multiple critical vulnerabilities in Apache Struts2
Reference: http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html
Reference: EXPLOIT-DB:18329
Reference: http://www.exploit-db.com/exploits/18329
Reference: https://lists.immunityinc.com/pipermail/dailydave/2012-January/000011.html
Reference: https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt
Reference: http://struts.apache.org/2.x/docs/s2
arXiv
Detection of Configuration Vulnerabilities in Distributed (Web) Environments
arxiv_fulltext·2012-07-12
Detection of Configuration Vulnerabilities in Distributed (Web) Environments
Detection of Configuration Vulnerabilities in Distributed (Web) Environments This work was partially
supported by the FP7-ICT-2009.1.4 Project PoSecCo (no. 257129,
.posecco.eu)
Detection of configuration vulnerabilities
Matteo Maria Casalino Michele Mangili Henrik Plate Serena
Elisa Ponta
SAP Research Sophia-Antipolis, 805 Avenue Dr M. Donat,
06250 Mougins, France matteo.maria.casalino,
henrik.plate, [email protected]
M. M. Casalino M. Mangili H. Plate S. E. Ponta
## Abstract
Many tools and libraries are readily available to build and operate
distributed Web applications. While the setup of operational
environments is comparatively easy, practice shows that their
continuous secure operation is more difficult to achieve, many times
resulting in vulnerable systems exposed to the Int
http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.htmlhttp://secunia.com/advisories/47393http://struts.apache.org/2.x/docs/s2-008.htmlhttp://struts.apache.org/2.x/docs/version-notes-2311.htmlhttp://www.exploit-db.com/exploits/18329https://lists.immunityinc.com/pipermail/dailydave/2012-January/000011.htmlhttps://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txthttp://archives.neohapsis.com/archives/bugtraq/2012-01/0031.htmlhttp://secunia.com/advisories/47393http://struts.apache.org/2.x/docs/s2-008.htmlhttp://struts.apache.org/2.x/docs/version-notes-2311.htmlhttp://www.exploit-db.com/exploits/18329https://lists.immunityinc.com/pipermail/dailydave/2012-January/000011.htmlhttps://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt
2012-01-08
Published