CVE-2014-0112
published 2014-04-29CVE-2014-0112: ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate"…
PriorityP181high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
97.91%
99.9th percentile
ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | struts | >= 2.0.0 < 2.3.16.2 | 2.3.16.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP GET requests containing ClassLoader manipulation parameters targeting Tomcat pipeline log-writing properties (directory, prefix, suffix, fileDateFormat) via the 'class[classLoader]' or 'class.classLoader' parameter namespace in request query strings. ↗
- →Alert on HTTP GET requests to Struts action URLs (*.action) containing query parameters with 'classLoader' or 'classloader' in the parameter name, which indicates attempted ClassLoader manipulation via ParametersInterceptor. ↗
- →Monitor for newly created .jsp files under the Tomcat webapps/ROOT directory, which is the exploit's target drop location for the JSP webshell payload written via manipulated access log settings. ↗
- →For Struts 1.x targets, detect GET parameters using dot-notation 'class.classLoader.*' in addition to bracket-notation 'class[classLoader].*', as the exploit switches prefix based on version. ↗
- →For Windows/SMB variant of the exploit, detect GET requests to Struts action URLs containing 'class[classLoader].resources.dirContext.docBase' parameter pointing to a UNC path (\\host\share), indicating an attempt to load a remote SMB-hosted Java resource. ↗
- ·The vulnerability affects Apache Struts 2.0.0 through 2.3.16.1 (fixed in 2.3.16.2 / before 2.3.20); it is an incomplete fix for CVE-2014-0094. Struts 1.x is covered by the related CVE-2014-0114, not this CVE. ↗
- ·The Metasploit module targets both Struts 1.x (<=1.3.10) and 2.x (<2.3.16.2) but uses different parameter notation per version; detection rules should cover both dot-notation and bracket-notation forms. ↗
- ·The exploit writes a JSP webshell to the Tomcat access log directory by manipulating the log pipeline's directory, prefix, suffix, and fileDateFormat settings; the resulting JSP filename is randomized (alphanumeric prefix + numeric date format + '.jsp'). ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa5.0MEDIUM
osv5.0MEDIUM
vulncheck5.0MEDIUM
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
struts2: ClassLoader manipulation via request parameters
vendor_redhat·2014-04-25·CVSS 5.0
CVE-2014-0112 [MEDIUM] struts2: ClassLoader manipulation via request parameters
struts2: ClassLoader manipulation via request parameters
ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
Statement: A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While Struts 2 is not actively compiled, shipped, used, or enabled in any Red Hat provided final products, and does not cause any vulnerability in the product, struts2-core jars have been included in some products' source code packages. The inclus
VulDB
Oracle WebCenter Sites 11.1.1.6.1/11.1.1.8.0 Community access control (EDB-33142 / Nessus ID 73763)
vuldb·2026-05-12·CVSS 7.5
CVE-2014-0112 [HIGH] Oracle WebCenter Sites 11.1.1.6.1/11.1.1.8.0 Community access control (EDB-33142 / Nessus ID 73763)
A vulnerability described as very critical has been identified in Oracle WebCenter Sites 11.1.1.6.1/11.1.1.8.0. The impacted element is an unknown function of the component Community. Executing a manipulation can lead to improper access controls.
The identification of this vulnerability is CVE-2014-0112. The attack may be launched remotely. Furthermore, there is an exploit available.
Upgrading the affected component is recommended.
VulDB
Apache Struts up to 2.3.16.1 Class Loader access control (EDB-33142 / Nessus ID 73763)
vuldb·2026-05-12·CVSS 7.5
CVE-2014-0112 [HIGH] Apache Struts up to 2.3.16.1 Class Loader access control (EDB-33142 / Nessus ID 73763)
A vulnerability was found in Apache Struts up to 2.3.16.1 and classified as critical. This impacts an unknown function of the component Class Loader. Executing a manipulation can lead to improper access controls.
This vulnerability is handled as CVE-2014-0112. The attack can be executed remotely. Additionally, an exploit exists. This vulnerability has historical importance owing to its background and reception.
It is advised to implement the suggested workaround.
VulDB
Oracle MySQL Enterprise Monitor up to 2.3.16/3.0.10 Service Manager access control (EDB-33142 / Nessus ID 73763)
vuldb·2026-05-12·CVSS 7.5
CVE-2014-0112 [HIGH] Oracle MySQL Enterprise Monitor up to 2.3.16/3.0.10 Service Manager access control (EDB-33142 / Nessus ID 73763)
A vulnerability, which was classified as very critical, has been found in Oracle MySQL Enterprise Monitor up to 2.3.16/3.0.10. Affected by this vulnerability is an unknown functionality of the component Service Manager. Performing a manipulation results in improper access controls.
This vulnerability was named CVE-2014-0112. The attack may be initiated remotely. In addition, an exploit is available.
It is advisable to upgrade the affected component.
OSV
ClassLoader manipulation in Apache Struts
osv·2022-05-14·CVSS 5.0
CVE-2014-0112 [MEDIUM] ClassLoader manipulation in Apache Struts
ClassLoader manipulation in Apache Struts
ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
GHSA
ClassLoader manipulation in Apache Struts
ghsa·2022-05-14·CVSS 5.0
CVE-2014-0112 [MEDIUM] ClassLoader manipulation in Apache Struts
ClassLoader manipulation in Apache Struts
ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
VulnCheck
Apache Struts ParametersInterceptor ClassLoader Maniupulation Vulnerability
vulncheck·2014·CVSS 5.0
CVE-2014-0112 [MEDIUM] Apache Struts ParametersInterceptor ClassLoader Maniupulation Vulnerability
Apache Struts ParametersInterceptor ClassLoader Maniupulation Vulnerability
ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
Affected: Apache Struts
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.checkpoint.com/security/april-2022s-most-wanted-malware-a-shake-up-in-the-index-but-emotet-is-still-on-top/
No detection rules found.
Exploit-DB
Apache Struts - ClassLoader Manipulation Remote Code Execution (Metasploit)
exploitdb·2014-05-02
CVE-2014-0113 Apache Struts - ClassLoader Manipulation Remote Code Execution (Metasploit)
Apache Struts - ClassLoader Manipulation Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Apache Struts ClassLoader Manipulation Remote Code Execution',
'Description' => %q{
This module exploits a remote command execution vulnerability in Apache Struts
versions
[
'Mark Thomas', # Vulnerability Discovery
'Przemyslaw Celej', # Vulnerability Discovery
'pwntester ', # PoC
'Redsadic ' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-0094'],
['CVE', '2014-0112'],
['URL', 'http://www.pwntester.com/blog/2014/04/24/struts2-0day-in-the-wild/'],
['URL', 'http://struts.apache.org/release/2.3.x/docs/s2-020
Exploit-DB
Apache Struts < 1.3.10 / < 2.3.16.2 - ClassLoader Manipulation Remote Code Execution (Metasploit)
exploitdb·2014-03-06
CVE-2014-0114 Apache Struts < 1.3.10 / < 2.3.16.2 - ClassLoader Manipulation Remote Code Execution (Metasploit)
Apache Struts 'Apache Struts ClassLoader Manipulation Remote Code Execution',
'Description' => %q{
This module exploits a remote command execution vulnerability in Apache Struts versions
1.x (
[
'Mark Thomas', # Vulnerability Discovery
'Przemyslaw Celej', # Vulnerability Discovery
'Redsadic ', # Metasploit Module
'Matthew Hall ' # SMB target
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-0094'],
['CVE', '2014-0112'],
['CVE', '2014-0114'],
['URL', 'http://www.pwntester.com/blog/2014/04/24/struts2-0day-in-the-wild/'],
['URL', 'http://struts.apache.org/release/2.3.x/docs/s2-020.html'],
['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Update-your-Struts-1-ClassLoader-manipulation-filters/ba-p/6639204'],
['URL', 'https://github.com/rgielen/struts1filter/tree/develop
Metasploit
Apache Struts ClassLoader Manipulation Remote Code Execution
metasploit
Apache Struts ClassLoader Manipulation Remote Code Execution
Apache Struts ClassLoader Manipulation Remote Code Execution
This module exploits a remote command execution vulnerability in Apache Struts versions 1.x (<= 1.3.10) and 2.x (< 2.3.16.2). In Struts 1.x the problem is related with the ActionForm bean population mechanism while in case of Struts 2.x the vulnerability is due to the ParametersInterceptor. Both allow access to 'class' parameter that is directly mapped to getClass() method and allows ClassLoader manipulation. As a result, this can allow remote attackers to execute arbitrary Java code via crafted parameters.
Bugzilla
CVE-2014-0114 struts: Apache Struts 1: Class Loader manipulation via request parameters [fedora-all]
bugzilla·2014-04-29·CVSS 7.5
CVE-2014-0114 [HIGH] CVE-2014-0114 struts: Apache Struts 1: Class Loader manipulation via request parameters [fedora-all]
CVE-2014-0114 struts: Apache Struts 1: Class Loader manipulation via request parameters [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, use the bodhi submission link noted
in the next comment(s). This will include the bug IDs of this tracking
bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
NOTE: this
Bugzilla
CVE-2014-0112 struts2: ClassLoader manipulation via request parameters
bugzilla·2014-04-28·CVSS 5.0
CVE-2014-0112 [MEDIUM] CVE-2014-0112 struts2: ClassLoader manipulation via request parameters
CVE-2014-0112 struts2: ClassLoader manipulation via request parameters
It was found that the fix for CVE-2014-0094 was incomplete. The Struts 2 ParametersInterceptor was updated to block access to the 'class' parameter, but not all forms in which this parameter can be specified were blocked. A remote attacker could use this flaw to manipulate the ClassLoader used by the application server running Struts 2. This could lead to arbitrary remote code execution under certain conditions.
This flaw is reported to affect Struts 2.0.0 through to Struts 2.3.16.1. It is corrected in 2.3.16.2.
External References:
https://cwiki.apache.org/confluence/display/WW/S2-021
Discussion:
This issue has been addressed in the following products:
Red Hat Fuse 7.3
Via RHSA-2019:0910 https://access.redhat.c
http://jvn.jp/en/jp/JVN19294237/index.htmlhttp://jvndb.jvn.jp/jvndb/JVNDB-2014-000045http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.htmlhttp://secunia.com/advisories/59178http://secunia.com/advisories/59500http://www-01.ibm.com/support/docview.wss?uid=swg21676706http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.htmlhttp://www.securityfocus.com/archive/1/531952/100/0/threadedhttp://www.securityfocus.com/archive/1/532549/100/0/threadedhttp://www.securityfocus.com/bid/67064http://www.vmware.com/security/advisories/VMSA-2014-0007.htmlhttps://access.redhat.com/errata/RHSA-2019:0910https://bugzilla.redhat.com/show_bug.cgi?id=1091939https://cwiki.apache.org/confluence/display/WW/S2-021http://jvn.jp/en/jp/JVN19294237/index.htmlhttp://jvndb.jvn.jp/jvndb/JVNDB-2014-000045http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.htmlhttp://secunia.com/advisories/59178http://secunia.com/advisories/59500http://www-01.ibm.com/support/docview.wss?uid=swg21676706http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.htmlhttp://www.securityfocus.com/archive/1/531952/100/0/threadedhttp://www.securityfocus.com/archive/1/532549/100/0/threadedhttp://www.securityfocus.com/bid/67064http://www.vmware.com/security/advisories/VMSA-2014-0007.htmlhttps://access.redhat.com/errata/RHSA-2019:0910https://bugzilla.redhat.com/show_bug.cgi?id=1091939https://cwiki.apache.org/confluence/display/WW/S2-021
2014-04-29
Published
Exploited in the wild