Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2014-0094

14 documents8 sources
Severity
5.0MEDIUM
EPSS
93.1%
top 0.20%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Apache Struts
Timeline
PublishedMar 11
Latest updateMay 14

Description

The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

NVDapache/struts2.0.02.3.16.1
Mavenorg.apache.struts:struts2-core2.0.02.3.16.2
Mavenorg.apache.struts.xwork:xwork-core2.0.02.3.16.2

🔴Vulnerability Details

6
OSV
ClassLoader manipulation in Apache Struts2022-05-14
GHSA
ClassLoader manipulation in Apache Struts2022-05-14
GHSA
ClassLoader manipulation in Apache Struts2022-05-14
GHSA
ClassLoader manipulation in Apache Struts2022-05-14
CVEList
CVE-2014-0094: The ParametersInterceptor in Apache Struts before 22014-03-10

💥Exploits & PoCs

2
Exploit-DB
Apache Struts - ClassLoader Manipulation Remote Code Execution (Metasploit)2014-05-02
Exploit-DB
Apache Struts < 1.3.10 / < 2.3.16.2 - ClassLoader Manipulation Remote Code Execution (Metasploit)2014-03-06

📋Vendor Advisories

3
Red Hat
struts2: ClassLoader manipulation via request parameters2014-04-25
Red Hat
struts2: ClassLoader manipulation via cookie request headers2014-04-25
Red Hat
struts2: ClassLoader manipulation via request parameters2014-03-06

💬Community

2
Bugzilla
CVE-2014-0112 struts2: ClassLoader manipulation via request parameters2014-04-28
Bugzilla
CVE-2014-0094 struts2: ClassLoader manipulation via request parameters2014-03-07
CVE-2014-0094 (MEDIUM CVSS 5) | The ParametersInterceptor in Apache | cvebase.io