Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2014-0112

CWE-2649 documents8 sources

Severity

7.5HIGH

EPSS

91.4%

top 0.34%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Apache Struts

Timeline

PublishedApr 29

Latest updateMay 14

Description

ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

▶NVDapache/struts2.0.0 — 2.3.16.2

▶Mavenorg.apache.struts:struts2-core< 2.3.20

Patches

Patch: cwiki.apache.org ↗Patch: cwiki.apache.org ↗

🔴Vulnerability Details

OSV

ClassLoader manipulation in Apache Struts↗2022-05-14

▶

GHSA

ClassLoader manipulation in Apache Struts↗2022-05-14

▶

CVEList

CVE-2014-0112: ParametersInterceptor in Apache Struts before 2↗2014-04-29

▶

VulnCheck

Apache Struts ParametersInterceptor ClassLoader Maniupulation Vulnerability↗2014

▶

💥Exploits & PoCs

Exploit-DB

Apache Struts - ClassLoader Manipulation Remote Code Execution (Metasploit)↗2014-05-02

▶

Exploit-DB

Apache Struts < 1.3.10 / < 2.3.16.2 - ClassLoader Manipulation Remote Code Execution (Metasploit)↗2014-03-06

▶

📋Vendor Advisories

Red Hat

struts2: ClassLoader manipulation via request parameters↗2014-04-25

▶

💬Community

Bugzilla

CVE-2014-0112 struts2: ClassLoader manipulation via request parameters↗2014-04-28

▶