CVE-2012-0392: Apache Struts's CookieInterceptor component does not use the parameter-name whitelist
N/A
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.99772%
CWE
-
Published
5/4/2022
Updated
12/27/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
-
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.struts:struts2-core | maven | < 2.2.3.1 | 2.2.3.1 |
org.apache.struts.xwork:xwork-core | maven | < 2.2.3.1 | 2.2.3.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability description explicitly states that the CookieInterceptor
component failed to use the parameter-name whitelist. Attackers exploited this by sending malicious cookies containing OGNL expressions, which were processed without validation()
. While the provided commit diff shows fixes in other interceptors (e.g., ConversionErrorInterceptor
) to escape OGNL expressions, the root cause lies in the CookieInterceptor
's lack of whitelist enforcement. The absence of whitelist checks in cookie parameter handling directly aligns with the CVE's technical details and exploit examples involving HTTP Cookie headers.