ClassLoader manipulation in Apache Struts

GHSA-3c5c-xrq4-qhr8 · CVE-2014-0113

Published May 14, 2022 · Modified Dec 4, 2024

Description

CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2014-0113
WEB https://cwiki.apache.org/confluence/display/WW/S2-021
PACKAGE https://github.com/apache/struts
WEB http://www-01.ibm.com/support/docview.wss?uid=swg21676706

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes