CVE-2014-0116
Published: 8 May 2014
CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113.
Notes
Author | Note |
---|---|
jdstrand | per Debian: <not-affected> (Struts 2.0.0 through to Struts 2.3.16.2) |
Priority
Status
Package | Release | Status |
---|---|---|
libstruts1.2-java Launchpad, Ubuntu, Debian |
lucid |
Not vulnerable
|
precise |
Not vulnerable
|
|
quantal |
Not vulnerable
|
|
saucy |
Not vulnerable
|
|
trusty |
Does not exist
(trusty was not-affected)
|
|
upstream |
Not vulnerable
|