CVE-2014-0116

CWE-2646 documents6 sources

Severity

5.8MEDIUM

EPSS

2.8%

top 13.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Struts

Timeline

PublishedMay 8

Latest updateMay 14

Description

CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113.

CVSS vector

AV:N/AC:M/C:N/I:P/A:PExploitability: 8.6 | Impact: 4.9

Affected Packages2 packages

▶Mavenorg.apache.struts:struts2-core< 2.3.20

▶NVDapache/struts50 versions+49

🔴Vulnerability Details

GHSA

ClassLoader manipulation in Apache Struts↗2022-05-14

▶

OSV

ClassLoader manipulation in Apache Struts↗2022-05-14

▶

CVEList

CVE-2014-0116: CookieInterceptor in Apache Struts 2↗2014-05-08

▶

📋Vendor Advisories

Red Hat

struts2: Struts internals manipulation via cookie request headers↗2014-05-05

▶

💬Community

Bugzilla

CVE-2014-0116 struts2: Struts internals manipulation via cookie request headers↗2014-05-06

▶