ClassLoader manipulation in Apache Struts

GHSA-vrwc-qjmw-5rjm · CVE-2014-0094

Published May 14, 2022 · Modified Dec 6, 2024

Description

The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2014-0094
WEB https://github.com/apache/struts/commit/2e2da292166adbc78c4cb1e308b30ddb4fba6d3f
WEB https://github.com/apache/struts/commit/6315241719be167542962da436b38782ed730c62
PACKAGE https://github.com/apache/struts
WEB http://jvn.jp/en/jp/JVN19294237/index.html
WEB http://jvndb.jvn.jp/jvndb/JVNDB-2014-000045
WEB http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html
WEB http://struts.apache.org/release/2.3.x/docs/s2-020.html
WEB http://www-01.ibm.com/support/docview.wss?uid=swg21676706
WEB http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm
WEB http://www.konakart.com/downloads/ver-7-3-0-0-whats-new
WEB http://www.vmware.com/security/advisories/VMSA-2014-0007.html

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes