CVE-2014-0112
Published: 29 April 2014
ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
Priority
Status
Package | Release | Status |
---|---|---|
libstruts1.2-java Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
lucid |
Ignored
(end of life)
|
|
precise |
Ignored
(end of life)
|
|
quantal |
Ignored
(end of life)
|
|
saucy |
Ignored
(end of life)
|
|
trusty |
Does not exist
(trusty was needed)
|
|
upstream |
Released
(2.3.16.2)
|
|
utopic |
Ignored
(end of life)
|
|
vivid |
Does not exist
|
|
wily |
Does not exist
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
References
- https://struts.apache.org/release/2.3.x/docs/s2-021.html
- https://cwiki.apache.org/confluence/display/WW/S2-021
- https://bugzilla.redhat.com/show_bug.cgi?id=1091939
- http://jvndb.jvn.jp/jvndb/JVNDB-2014-000045
- http://jvn.jp/en/jp/JVN19294237/index.html
- https://www.cve.org/CVERecord?id=CVE-2014-0112
- NVD
- Launchpad
- Debian