CVE-2014-0112

Vulnerability Description

ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.

CVSS Score

Affected Products

Related Weaknesses (CWE)

References

• http://jvn.jp/en/jp/JVN19294237/index.htmlThird Party AdvisoryVDB Entry
• http://jvndb.jvn.jp/jvndb/JVNDB-2014-000045Third Party AdvisoryVDB Entry
• http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.hThird Party AdvisoryVDB Entry
• http://secunia.com/advisories/59178Permissions Required
• http://secunia.com/advisories/59500Permissions Required
• http://www-01.ibm.com/support/docview.wss?uid=swg21676706Third Party Advisory
• http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.htmlThird Party Advisory
• http://www.securityfocus.com/archive/1/531952/100/0/threadedThird Party AdvisoryVDB Entry
• http://www.securityfocus.com/archive/1/532549/100/0/threadedThird Party AdvisoryVDB Entry
• http://www.securityfocus.com/bid/67064Third Party AdvisoryVDB Entry
• http://www.vmware.com/security/advisories/VMSA-2014-0007.htmlThird Party Advisory
• https://access.redhat.com/errata/RHSA-2019:0910Third Party Advisory
• https://bugzilla.redhat.com/show_bug.cgi?id=1091939Issue Tracking
• https://cwiki.apache.org/confluence/display/WW/S2-021PatchVendor Advisory
• http://jvn.jp/en/jp/JVN19294237/index.htmlThird Party AdvisoryVDB Entry