VulnerableCode Vulnerability Details - VCID-kbup-gtks-qbch

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-kbup-gtks-qbch

Essentials
Severities (13)
References (16)
Severity details (11)
Exploits (1)
EPSS
History (1)

Vulnerability ID	VCID-kbup-gtks-qbch
Aliases	CVE-2012-0392 GHSA-2ppp-xj34-vvf7
Summary	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name allow list, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.
Status	Published
Exploitability	2.0
Weighted Severity	6.2
Risk	10.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
generic_textual	MODERATE	http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html
epss	0.90286	https://api.first.org/data/v1/epss?cve=CVE-2012-0392
epss	0.90286	https://api.first.org/data/v1/epss?cve=CVE-2012-0392
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-2ppp-xj34-vvf7
generic_textual	MODERATE	https://github.com/apache/struts
generic_textual	MODERATE	https://github.com/apache/struts/commit/25e50069d60434a30395e3a98357ffba2bed427e
generic_textual	MODERATE	https://lists.immunityinc.com/pipermail/dailydave/2012-January/000011.html
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2012-0392
generic_textual	MODERATE	http://struts.apache.org/2.x/docs/s2-008.html
generic_textual	MODERATE	http://struts.apache.org/2.x/docs/version-notes-2311.html
generic_textual	MODERATE	https://web.archive.org/web/20120612142634/https://sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt
generic_textual	MODERATE	https://web.archive.org/web/20140723153720/http://secunia.com/advisories/47393
generic_textual	MODERATE	http://www.exploit-db.com/exploits/18329

Reference id	Reference type	URL
		http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-0392.json
		https://api.first.org/data/v1/epss?cve=CVE-2012-0392
		https://github.com/apache/struts
		https://github.com/apache/struts/commit/25e50069d60434a30395e3a98357ffba2bed427e
		https://github.com/apache/struts/commit/34c80dae734e70f13c0e46f9c83602fb71318e58
		https://lists.immunityinc.com/pipermail/dailydave/2012-January/000011.html
		http://struts.apache.org/2.x/docs/s2-008.html
		http://struts.apache.org/2.x/docs/version-notes-2311.html
		https://web.archive.org/web/20120612142634/https://sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt
		https://web.archive.org/web/20140723153720/http://secunia.com/advisories/47393
		https://web.archive.org/web/20140723153720/http://secunia.com/advisories/47393/
		http://www.exploit-db.com/exploits/18329
773162		https://bugzilla.redhat.com/show_bug.cgi?id=773162
CVE-2012-0392		https://nvd.nist.gov/vuln/detail/CVE-2012-0392
GHSA-2ppp-xj34-vvf7		https://github.com/advisories/GHSA-2ppp-xj34-vvf7

Data source	Exploit-DB
Date added	Jan. 6, 2012
Description	Apache Struts 2 < 2.3.1 - Multiple Vulnerabilities
Ransomware campaign use	Known
Source publication date	Jan. 6, 2012
Exploit type	webapps
Platform	multiple
Source update date	March 10, 2017

Exploit Prediction Scoring System (EPSS)

Percentile	0.99614
EPSS Score	0.90286
Published At	June 4, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-02T04:42:25.914227+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.struts/struts2-core/CVE-2012-0392.yml	38.6.0