Vulnerability CVE-2014-0094
Published: 2014-03-11

Description:
The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.

See advisories in our WLB2 database:
Topic
Author
Date
High
Struts 1 ClassLoader Manipulation
Rene Gielen
30.04.2014
High
Apache Struts ClassLoader Manipulation Remote Code Execution
Redsadic
03.05.2014
High
Apache Struts < 1.3.10 / < 2.3.16.2 ClassLoader Manipulation Remote Code Execution
Matthew Hall
23.03.2017

Type:

CWE-noinfo

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None
Affected software
Apache -> Struts 

 References:
http://jvn.jp/en/jp/JVN19294237/index.html
http://jvndb.jvn.jp/jvndb/JVNDB-2014-000045
http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html
http://secunia.com/advisories/59178
http://struts.apache.org/release/2.3.x/docs/s2-020.html
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm
http://www.konakart.com/downloads/ver-7-3-0-0-whats-new
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
http://www.securityfocus.com/archive/1/531362/100/0/threaded
http://www.securityfocus.com/archive/1/532549/100/0/threaded
http://www.securityfocus.com/bid/65999
http://www.securitytracker.com/id/1029876
http://www.vmware.com/security/advisories/VMSA-2014-0007.html
http://www-01.ibm.com/support/docview.wss?uid=swg21676706
Copyright 2024, cxsecurity.com

 

Back to Top