cbcvebase.
CVE-2014-0112
published 2014-04-29

CVE-2014-0112: ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate"…

PriorityP181high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
97.91%
99.9th percentile
ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.

Affected

1 ranges
VendorProductVersion rangeFixed in
apachestruts>= 2.0.0 < 2.3.16.22.3.16.2

Detection & IOCsextracted from sources · hover to see the quote

port8080
path/struts2-blank/example/HelloWorld.action
pathwebapps/ROOT
commandclass['classLoader'].resources.context.parent.pipeline.first.directory
commandclass['classLoader'].resources.context.parent.pipeline.first.prefix
commandclass['classLoader'].resources.context.parent.pipeline.first.suffix
commandclass['classLoader'].resources.context.parent.pipeline.first.fileDateFormat
commandclass.classLoader (Struts 1.x prefix)
commandclass['classLoader'].resources.dirContext.docBase
  • Detect HTTP GET requests containing ClassLoader manipulation parameters targeting Tomcat pipeline log-writing properties (directory, prefix, suffix, fileDateFormat) via the 'class[classLoader]' or 'class.classLoader' parameter namespace in request query strings.
  • Alert on HTTP GET requests to Struts action URLs (*.action) containing query parameters with 'classLoader' or 'classloader' in the parameter name, which indicates attempted ClassLoader manipulation via ParametersInterceptor.
  • Monitor for newly created .jsp files under the Tomcat webapps/ROOT directory, which is the exploit's target drop location for the JSP webshell payload written via manipulated access log settings.
  • For Struts 1.x targets, detect GET parameters using dot-notation 'class.classLoader.*' in addition to bracket-notation 'class[classLoader].*', as the exploit switches prefix based on version.
  • For Windows/SMB variant of the exploit, detect GET requests to Struts action URLs containing 'class[classLoader].resources.dirContext.docBase' parameter pointing to a UNC path (\\host\share), indicating an attempt to load a remote SMB-hosted Java resource.
  • ·The vulnerability affects Apache Struts 2.0.0 through 2.3.16.1 (fixed in 2.3.16.2 / before 2.3.20); it is an incomplete fix for CVE-2014-0094. Struts 1.x is covered by the related CVE-2014-0114, not this CVE.
  • ·The Metasploit module targets both Struts 1.x (<=1.3.10) and 2.x (<2.3.16.2) but uses different parameter notation per version; detection rules should cover both dot-notation and bracket-notation forms.
  • ·The exploit writes a JSP webshell to the Tomcat access log directory by manipulating the log pipeline's directory, prefix, suffix, and fileDateFormat settings; the resulting JSP filename is randomized (alphanumeric prefix + numeric date format + '.jsp').

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa5.0MEDIUM
osv5.0MEDIUM
vulncheck5.0MEDIUM
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.