CVE-2014-0113
published 2014-04-29CVE-2014-0113: CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which…
PriorityP279high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
78.31%
99.5th percentile
CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
Affected
51 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP GET requests to Struts action endpoints containing 'class[' or 'class.' cookie/query parameters targeting ClassLoader manipulation — specifically keys referencing 'classLoader', 'resources', 'context', 'parent', 'pipeline', 'first', 'directory', 'prefix', 'suffix', or 'fileDateFormat'. ↗
- →The exploit manipulates the Tomcat access-log valve via ClassLoader to write a JSP webshell into 'webapps/ROOT'; monitor for unexpected .jsp file creation in the web root following requests with ClassLoader manipulation parameters. ↗
- →The vulnerability is triggered via CookieInterceptor when a wildcard cookiesName value is used; inspect cookie headers for 'class' parameter names that map to getClass() method access. ↗
- →The exploit drops a JSP payload file with a random alphanumeric prefix and numeric date-format suffix (e.g., [a-z]{3,6}[0-9]{1,5}.jsp) into the web root; alert on creation of such files in webapps/ROOT. ↗
- →Affected versions are Apache Struts 2.0.0 through 2.3.16.1; flag any deployment of these versions as vulnerable. The fix is present in 2.3.16.2 and later (up to 2.3.20 for the related CVE-2014-0116). ↗
- ·The vulnerability only triggers when CookieInterceptor is configured with a wildcard cookiesName value; deployments not using wildcard cookie names are not exposed. ↗
- ·CVE-2014-0113 is itself an incomplete fix for CVE-2014-0094; the subsequent CVE-2014-0116 is an incomplete fix for CVE-2014-0113 — detection rules should cover all three related parameter-manipulation patterns. ↗
- ·The Metasploit module targets port 8080 by default, but the actual deployment port may vary; do not limit detection solely to port 8080. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa7.5HIGH
osv7.5HIGH
vulncheck5.0MEDIUM
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Apache Struts up to 2.3.15.0 CookieInterceptor access control (EDB-33142 / Nessus ID 73763)
vuldb·2026-05-12·CVSS 7.5
CVE-2014-0113 [HIGH] Apache Struts up to 2.3.15.0 CookieInterceptor access control (EDB-33142 / Nessus ID 73763)
A vulnerability was found in Apache Struts up to 2.3.15.0 and classified as critical. Impacted is an unknown function of the component CookieInterceptor. Executing a manipulation can lead to improper access controls.
The identification of this vulnerability is CVE-2014-0113. The attack may be launched remotely. Furthermore, there is an exploit available.
It is suggested to upgrade the affected component.
OSV
ClassLoader manipulation in Apache Struts
osv·2022-05-14·CVSS 5.0
CVE-2014-0113 [MEDIUM] ClassLoader manipulation in Apache Struts
ClassLoader manipulation in Apache Struts
CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
GHSA
ClassLoader manipulation in Apache Struts
ghsa·2022-05-14·CVSS 7.5
CVE-2014-0116 [HIGH] ClassLoader manipulation in Apache Struts
ClassLoader manipulation in Apache Struts
CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113.
GHSA
ClassLoader manipulation in Apache Struts
ghsa·2022-05-14·CVSS 5.0
CVE-2014-0113 [MEDIUM] ClassLoader manipulation in Apache Struts
ClassLoader manipulation in Apache Struts
CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
OSV
ClassLoader manipulation in Apache Struts
osv·2022-05-14·CVSS 7.5
CVE-2014-0116 [HIGH] ClassLoader manipulation in Apache Struts
ClassLoader manipulation in Apache Struts
CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113.
VulnCheck
Apache Struts CookieInterceptor Vulnerability
vulncheck·2014·CVSS 5.0
CVE-2014-0113 [MEDIUM] Apache Struts CookieInterceptor Vulnerability
Apache Struts CookieInterceptor Vulnerability
CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
Affected: Apache Struts
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.checkpoint.com/security/april-2022s-most-wanted-malware-a-shake-up-in-the-index-but-emotet-is-still-on-top/
Red Hat
struts2: Struts internals manipulation via cookie request headers
vendor_redhat·2014-05-05·CVSS 7.5
CVE-2014-0116 [HIGH] struts2: Struts internals manipulation via cookie request headers
struts2: Struts internals manipulation via cookie request headers
CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113.
Statement: A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While Struts 2 is not actively compiled, shipped, used, or enabled in any Red Hat provided final products, and does not cause any vulnerability in the product, struts2-core jars have been included
Red Hat
struts2: ClassLoader manipulation via cookie request headers
vendor_redhat·2014-04-25·CVSS 5.0
CVE-2014-0113 [MEDIUM] struts2: ClassLoader manipulation via cookie request headers
struts2: ClassLoader manipulation via cookie request headers
CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
Statement: A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While Struts 2 is not actively compiled, shipped, used, or enabled in any Red Hat provided final products, and does not cause any vulnerability in the product, struts2-core jars have been included in som
No detection rules found.
http://secunia.com/advisories/59178http://www-01.ibm.com/support/docview.wss?uid=swg21676706http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.htmlhttp://www.securityfocus.com/archive/1/531952/100/0/threadedhttps://cwiki.apache.org/confluence/display/WW/S2-021http://secunia.com/advisories/59178http://www-01.ibm.com/support/docview.wss?uid=swg21676706http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.htmlhttp://www.securityfocus.com/archive/1/531952/100/0/threadedhttps://cwiki.apache.org/confluence/display/WW/S2-021
2014-04-29
Published
Exploited in the wild