cbcvebase.
CVE-2014-0113
published 2014-04-29

CVE-2014-0113: CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which…

PriorityP279high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
78.31%
99.5th percentile
CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.

Affected

51 ranges· showing 25
VendorProductVersion rangeFixed in
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts

Detection & IOCsextracted from sources · hover to see the quote

url/struts2-blank/example/HelloWorld.action
port8080
commandclass['classLoader'].resources.context.parent.pipeline.first.directory
commandclass['classLoader'].resources.context.parent.pipeline.first.prefix
commandclass['classLoader'].resources.context.parent.pipeline.first.suffix
commandclass['classLoader'].resources.context.parent.pipeline.first.fileDateFormat
pathwebapps/ROOT
  • Detect HTTP GET requests to Struts action endpoints containing 'class[' or 'class.' cookie/query parameters targeting ClassLoader manipulation — specifically keys referencing 'classLoader', 'resources', 'context', 'parent', 'pipeline', 'first', 'directory', 'prefix', 'suffix', or 'fileDateFormat'.
  • The exploit manipulates the Tomcat access-log valve via ClassLoader to write a JSP webshell into 'webapps/ROOT'; monitor for unexpected .jsp file creation in the web root following requests with ClassLoader manipulation parameters.
  • The vulnerability is triggered via CookieInterceptor when a wildcard cookiesName value is used; inspect cookie headers for 'class' parameter names that map to getClass() method access.
  • The exploit drops a JSP payload file with a random alphanumeric prefix and numeric date-format suffix (e.g., [a-z]{3,6}[0-9]{1,5}.jsp) into the web root; alert on creation of such files in webapps/ROOT.
  • Affected versions are Apache Struts 2.0.0 through 2.3.16.1; flag any deployment of these versions as vulnerable. The fix is present in 2.3.16.2 and later (up to 2.3.20 for the related CVE-2014-0116).
  • ·The vulnerability only triggers when CookieInterceptor is configured with a wildcard cookiesName value; deployments not using wildcard cookie names are not exposed.
  • ·CVE-2014-0113 is itself an incomplete fix for CVE-2014-0094; the subsequent CVE-2014-0116 is an incomplete fix for CVE-2014-0113 — detection rules should cover all three related parameter-manipulation patterns.
  • ·The Metasploit module targets port 8080 by default, but the actual deployment port may vary; do not limit detection solely to port 8080.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa7.5HIGH
osv7.5HIGH
vulncheck5.0MEDIUM
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.