CVE-2014-0112 Information

Feb 14, 2021 cve

Description

ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method which allows remote attackers to \manipulate\ the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.

Reference

http://jvn.jp/en/jp/JVN19294237/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2014-000045 http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html http://secunia.com/advisories/59178 http://secunia.com/advisories/59500 http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html http://www.securityfocus.com/archive/1/531952/100/0/threaded http://www.securityfocus.com/archive/1/532549/100/0/threaded http://www.securityfocus.com/bid/67064 http://www.vmware.com/security/advisories/VMSA-2014-0007.html http://www-01.ibm.com/support/docview.wss?uid=swg21676706 https://access.redhat.com/errata/RHSA-2019:0910 https://bugzilla.redhat.com/show_bug.cgi?id=1091939 https://cwiki.apache.org/confluence/display/WW/S2-021

Share on: