Arbitrary Command Execution Affecting com.opensymphony:xwork-core package, versions [2.1.4,2.1.6]


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
96.31% (100th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-COMOPENSYMPHONY-30326
  • published20 Dec 2011
  • disclosed20 Dec 2011
  • creditJohannes Dahse, Bruce Phillips

Introduced: 20 Dec 2011

CVE-2012-0392  (opens in a new tab)
CWE-264  (opens in a new tab)

Overview

com.opensymphony:xwork-core is an command-pattern framework that is used to power WebWork as well as other applications. XWork provides an Inversion of Control container, a powerful expression language, data type conversion, validation, and pluggable configuration.

The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.

CVSS Scores

version 3.1