Arbitrary Command Execution Affecting org.apache.struts.xwork:xwork-core package, versions [2,126.96.36.199)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
- Snyk ID SNYK-JAVA-ORGAPACHESTRUTSXWORK-30789
- published 17 Jun 2014
- disclosed 8 Jan 2012
- credit Unknown
The CookieInterceptor component in Apache Struts before 188.8.131.52 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.