CVE-2014-0094
published 2014-03-11CVE-2014-0094: The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to…
PriorityP276medium5CVSS 2.0
AVNACLAuNCNIPAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
99.61%
99.9th percentile
The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | struts | >= 2.0.0 < 2.3.16.2 | 2.3.16.2 |
| apache | struts | >= 2.0.0 < 2.3.16.1 | 2.3.16.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP GET requests containing ClassLoader manipulation parameters targeting 'class[' or 'class.classLoader' in query strings, particularly with pipeline configuration sub-keys (directory, prefix, suffix, fileDateFormat). ↗
- →For Struts 1.x exploitation, look for the parameter name pattern 'class.classLoader' in HTTP requests; for Struts 2.x look for 'class[\'classLoader\']' — both are used to reach getClass() and manipulate the ClassLoader. ↗
- →The exploit writes a JSP webshell to 'webapps/ROOT' by redirecting Tomcat's access log via ClassLoader manipulation; monitor for unexpected .jsp files appearing in the web root shortly after suspicious GET requests. ↗
- →For Windows/SMB variant, detect GET requests containing 'class[\'classLoader\'].resources.dirContext.docBase' pointing to a UNC path (\\host\share), indicating an attempt to load a remote SMB-hosted payload. ↗
- →The vulnerability is in ParametersInterceptor (Struts 2.x) and ActionForm bean population (Struts 1.x) — both allow the 'class' parameter to be passed to getClass(), enabling ClassLoader manipulation via crafted HTTP request parameters. ↗
- ·The Struts 1.x attack vector uses dot-notation ('class.classLoader') while Struts 2.x uses bracket-notation ('class[\'classLoader\']'). Detection rules must cover both syntactic forms to avoid blind spots. ↗
- ·CVE-2014-0094 affects Apache Struts 2.x before 2.3.16.2; CVE-2014-0112 is an incomplete-fix bypass affecting Struts before 2.3.20. Detections should account for both vulnerability variants as they share the same exploitation technique. ↗
- ·A related variant (CVE-2014-0113) exploits the same ClassLoader manipulation via CookieInterceptor when a wildcard cookiesName value is used, requiring cookie-header-based detection in addition to query-parameter detection. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
ghsa5.0MEDIUM
osv5.0MEDIUM
vulncheck5.0MEDIUM
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
struts2: ClassLoader manipulation via request parameters
vendor_redhat·2014-04-25·CVSS 5.0
CVE-2014-0112 [MEDIUM] struts2: ClassLoader manipulation via request parameters
struts2: ClassLoader manipulation via request parameters
ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
Statement: A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While Struts 2 is not actively compiled, shipped, used, or enabled in any Red Hat provided final products, and does not cause any vulnerability in the product, struts2-core jars have been included in some products' source code packages. The inclus
Red Hat
struts2: ClassLoader manipulation via cookie request headers
vendor_redhat·2014-04-25·CVSS 5.0
CVE-2014-0113 [MEDIUM] struts2: ClassLoader manipulation via cookie request headers
struts2: ClassLoader manipulation via cookie request headers
CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
Statement: A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While Struts 2 is not actively compiled, shipped, used, or enabled in any Red Hat provided final products, and does not cause any vulnerability in the product, struts2-core jars have been included in som
Red Hat
struts2: ClassLoader manipulation via request parameters
vendor_redhat·2014-03-06·CVSS 5.0
CVE-2014-0094 [MEDIUM] struts2: ClassLoader manipulation via request parameters
struts2: ClassLoader manipulation via request parameters
The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.
Statement: A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While Struts 2 is not actively compiled, shipped, used, or enabled in any Red Hat provided final products, and does not cause any vulnerability in the product, struts2-core jars have been included in some products' source code packages. The inclusion was part of an import of the Google Guice repository, which includes struts2-core. Customers that build artefacts from
OSV
ClassLoader manipulation in Apache Struts
osv·2022-05-14·CVSS 5.0
CVE-2014-0113 [MEDIUM] ClassLoader manipulation in Apache Struts
ClassLoader manipulation in Apache Struts
CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
OSV
ClassLoader manipulation in Apache Struts
osv·2022-05-14·CVSS 5.0
CVE-2014-0112 [MEDIUM] ClassLoader manipulation in Apache Struts
ClassLoader manipulation in Apache Struts
ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
GHSA
ClassLoader manipulation in Apache Struts
ghsa·2022-05-14·CVSS 5.0
CVE-2014-0112 [MEDIUM] ClassLoader manipulation in Apache Struts
ClassLoader manipulation in Apache Struts
ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
OSV
ClassLoader manipulation in Apache Struts
osv·2022-05-14
CVE-2014-0094 [MEDIUM] ClassLoader manipulation in Apache Struts
ClassLoader manipulation in Apache Struts
The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.
GHSA
ClassLoader manipulation in Apache Struts
ghsa·2022-05-14·CVSS 5.0
CVE-2014-0113 [MEDIUM] ClassLoader manipulation in Apache Struts
ClassLoader manipulation in Apache Struts
CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
GHSA
ClassLoader manipulation in Apache Struts
ghsa·2022-05-14
CVE-2014-0094 [MEDIUM] ClassLoader manipulation in Apache Struts
ClassLoader manipulation in Apache Struts
The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.
VulnCheck
Apache Struts ParametersInterceptor Vulnerability
vulncheck·2014·CVSS 5.0
CVE-2014-0094 [MEDIUM] Apache Struts ParametersInterceptor Vulnerability
Apache Struts ParametersInterceptor Vulnerability
The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.
Affected: Apache Struts
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.checkpoint.com/security/april-2022s-most-wanted-malware-a-shake-up-in-the-index-but-emotet-is-still-on-top/; https://www.sonatype.com/hubfs/SSCR-2024/SSCR_2024-FINAL-10-10-24.pdf
VulnCheck
Apache Struts CookieInterceptor Vulnerability
vulncheck·2014·CVSS 5.0
CVE-2014-0113 [MEDIUM] Apache Struts CookieInterceptor Vulnerability
Apache Struts CookieInterceptor Vulnerability
CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
Affected: Apache Struts
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.checkpoint.com/security/april-2022s-most-wanted-malware-a-shake-up-in-the-index-but-emotet-is-still-on-top/
VulnCheck
Apache Struts ParametersInterceptor ClassLoader Maniupulation Vulnerability
vulncheck·2014·CVSS 5.0
CVE-2014-0112 [MEDIUM] Apache Struts ParametersInterceptor ClassLoader Maniupulation Vulnerability
Apache Struts ParametersInterceptor ClassLoader Maniupulation Vulnerability
ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
Affected: Apache Struts
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.checkpoint.com/security/april-2022s-most-wanted-malware-a-shake-up-in-the-index-but-emotet-is-still-on-top/
No detection rules found.
Exploit-DB
Apache Struts - ClassLoader Manipulation Remote Code Execution (Metasploit)
exploitdb·2014-05-02
CVE-2014-0113 Apache Struts - ClassLoader Manipulation Remote Code Execution (Metasploit)
Apache Struts - ClassLoader Manipulation Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Apache Struts ClassLoader Manipulation Remote Code Execution',
'Description' => %q{
This module exploits a remote command execution vulnerability in Apache Struts
versions
[
'Mark Thomas', # Vulnerability Discovery
'Przemyslaw Celej', # Vulnerability Discovery
'pwntester ', # PoC
'Redsadic ' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-0094'],
['CVE', '2014-0112'],
['URL', 'http://www.pwntester.com/blog/2014/04/24/struts2-0day-in-the-wild/'],
['URL', 'http://struts.apache.org/release/2.3.x/docs/s2-020
Exploit-DB
Apache Struts < 1.3.10 / < 2.3.16.2 - ClassLoader Manipulation Remote Code Execution (Metasploit)
exploitdb·2014-03-06
CVE-2014-0114 Apache Struts < 1.3.10 / < 2.3.16.2 - ClassLoader Manipulation Remote Code Execution (Metasploit)
Apache Struts 'Apache Struts ClassLoader Manipulation Remote Code Execution',
'Description' => %q{
This module exploits a remote command execution vulnerability in Apache Struts versions
1.x (
[
'Mark Thomas', # Vulnerability Discovery
'Przemyslaw Celej', # Vulnerability Discovery
'Redsadic ', # Metasploit Module
'Matthew Hall ' # SMB target
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-0094'],
['CVE', '2014-0112'],
['CVE', '2014-0114'],
['URL', 'http://www.pwntester.com/blog/2014/04/24/struts2-0day-in-the-wild/'],
['URL', 'http://struts.apache.org/release/2.3.x/docs/s2-020.html'],
['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Update-your-Struts-1-ClassLoader-manipulation-filters/ba-p/6639204'],
['URL', 'https://github.com/rgielen/struts1filter/tree/develop
Metasploit
Apache Struts ClassLoader Manipulation Remote Code Execution
metasploit
Apache Struts ClassLoader Manipulation Remote Code Execution
Apache Struts ClassLoader Manipulation Remote Code Execution
This module exploits a remote command execution vulnerability in Apache Struts versions 1.x (<= 1.3.10) and 2.x (< 2.3.16.2). In Struts 1.x the problem is related with the ActionForm bean population mechanism while in case of Struts 2.x the vulnerability is due to the ParametersInterceptor. Both allow access to 'class' parameter that is directly mapped to getClass() method and allows ClassLoader manipulation. As a result, this can allow remote attackers to execute arbitrary Java code via crafted parameters.
Bugzilla
CVE-2014-0112 struts2: ClassLoader manipulation via request parameters
bugzilla·2014-04-28·CVSS 5.0
CVE-2014-0112 [MEDIUM] CVE-2014-0112 struts2: ClassLoader manipulation via request parameters
CVE-2014-0112 struts2: ClassLoader manipulation via request parameters
It was found that the fix for CVE-2014-0094 was incomplete. The Struts 2 ParametersInterceptor was updated to block access to the 'class' parameter, but not all forms in which this parameter can be specified were blocked. A remote attacker could use this flaw to manipulate the ClassLoader used by the application server running Struts 2. This could lead to arbitrary remote code execution under certain conditions.
This flaw is reported to affect Struts 2.0.0 through to Struts 2.3.16.1. It is corrected in 2.3.16.2.
External References:
https://cwiki.apache.org/confluence/display/WW/S2-021
Discussion:
This issue has been addressed in the following products:
Red Hat Fuse 7.3
Via RHSA-2019:0910 https://access.redhat.c
Bugzilla
CVE-2014-0094 struts2: ClassLoader manipulation via request parameters
bugzilla·2014-03-07·CVSS 5.0
CVE-2014-0094 [MEDIUM] CVE-2014-0094 struts2: ClassLoader manipulation via request parameters
CVE-2014-0094 struts2: ClassLoader manipulation via request parameters
It was found that the Struts 2 ParametersInterceptor allows access to the 'class' parameter, which is directly mapped to the getClass() method. A remote attacker could use this flaw to manipulate the ClassLoader used by the application server running Struts 2. This could lead to arbitrary remote code execution under certain conditions.
This flaw is reported to affect Struts 2.0.0 through to Struts 2.3.16. It is corrected in 2.3.16.1.
External References:
https://cwiki.apache.org/confluence/display/WW/S2-020
Discussion:
Statement:
A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While
Greynoiseio
NoiseLetter June 2025
blogs_greynoiseio
NoiseLetter June 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://jvn.jp/en/jp/JVN19294237/index.htmlhttp://jvndb.jvn.jp/jvndb/JVNDB-2014-000045http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.htmlhttp://secunia.com/advisories/56440http://secunia.com/advisories/59178http://struts.apache.org/release/2.3.x/docs/s2-020.htmlhttp://www-01.ibm.com/support/docview.wss?uid=swg21676706http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htmhttp://www.konakart.com/downloads/ver-7-3-0-0-whats-newhttp://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.htmlhttp://www.securityfocus.com/archive/1/531362/100/0/threadedhttp://www.securityfocus.com/archive/1/532549/100/0/threadedhttp://www.securityfocus.com/bid/65999http://www.securitytracker.com/id/1029876http://www.vmware.com/security/advisories/VMSA-2014-0007.htmlhttp://jvn.jp/en/jp/JVN19294237/index.htmlhttp://jvndb.jvn.jp/jvndb/JVNDB-2014-000045http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.htmlhttp://secunia.com/advisories/56440http://secunia.com/advisories/59178http://struts.apache.org/release/2.3.x/docs/s2-020.htmlhttp://www-01.ibm.com/support/docview.wss?uid=swg21676706http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htmhttp://www.konakart.com/downloads/ver-7-3-0-0-whats-newhttp://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.htmlhttp://www.securityfocus.com/archive/1/531362/100/0/threadedhttp://www.securityfocus.com/archive/1/532549/100/0/threadedhttp://www.securityfocus.com/bid/65999http://www.securitytracker.com/id/1029876http://www.vmware.com/security/advisories/VMSA-2014-0007.html
2014-03-11
Published
Exploited in the wild