CVE-2012-0392

Name of the Vulnerable Software and Affected Versions Apache Struts versions prior to 2.3.1.1

Description The issue is related to the CookieInterceptor component, which does not utilize a parameter-name whitelist. This allows remote attackers to execute arbitrary commands by crafting a specific HTTP Cookie header, triggering Java code execution through a static method. The vulnerability is associated with inadequate access control in the implementation of the CookieInterceptor class.

Recommendations For versions prior to 2.3.1.1, update to version 2.3.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the CookieInterceptor component to minimize the risk of exploitation.