Back to search
CVE-2014-0112
Published: Apr 29, 2014
Modified: Aug 6, 2024
PUBLISHED
Description
ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
https://cwiki.apache.org/confluence/display/WW/S2-021
x_refsource_CONFIRM
59178
third-party-advisory
x_refsource_SECUNIA
http://www.vmware.com/security/advisories/VMSA-2014-0007.html
x_refsource_CONFIRM
20140426 [ANN] Struts 2.3.16.2 GA release available - security fix
mailing-list
x_refsource_BUGTRAQ
59500
third-party-advisory
x_refsource_SECUNIA
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
x_refsource_CONFIRM
67064
vdb-entry
x_refsource_BID
JVN#19294237
third-party-advisory
x_refsource_JVN
JVNDB-2014-000045
third-party-advisory
x_refsource_JVNDB
http://www-01.ibm.com/support/docview.wss?uid=swg21676706
x_refsource_CONFIRM
https://bugzilla.redhat.com/show_bug.cgi?id=1091939
x_refsource_CONFIRM
20140625 NEW VMSA-2014-0007 - VMware product updates address security vulnerabilities in Apache Struts library
mailing-list
x_refsource_BUGTRAQ
RHSA-2019:0910
vendor-advisory
x_refsource_REDHAT
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now