New! Vulnerability Priority Rating (VPR)
Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.
VPR Score: 7.4
SynopsisA web application running on the remote host uses a Java framework that is affected by multiple vulnerabilities.
DescriptionThe version of Apache Struts running on the remote host is prior to 188.8.131.52. It, therefore, affected by multiple vulnerabilities:
- The CookieInterceptor component in Apache Struts before 184.108.40.206 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method. (CVE-2012-0392)
- Apache Struts before 220.127.116.11 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands. (CVE-2011-3923)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
SolutionUpgrade to Apache Struts version 18.104.22.168 or later