Apache Struts 2 CookieInterceptor Unspecified Security Bypass
Medium Nessus Plugin ID 73944
SynopsisThe remote web server contains a web application that uses a Java framework that is affected by a security bypass vulnerability.
DescriptionThe remote web application appears to use Struts 2, a Java based web application framework. The version of Struts 2 in use is affected by a security bypass vulnerability due to a flaw with CookieInterceptor.
A remote, unauthenticated attacker can exploit this issue to manipulate the ClassLoader and modify a session state to bypass security restrictions.
Note that this vulnerability can only be exploited when a wildcard character is used to configure the 'cookiesName' value.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
SolutionUpgrade to version 188.8.131.52 or later.