Back to search

Apache Struts Classloader arbitrary command execution (CVE-2014-0112)

Severity	CVSS	Published	Added	Modified
8	(AV:N/AC:L/Au:N/C:P/I:P/A:P)	March 28, 2017	March 28, 2017	April 03, 2017

Available Exploits

Apache Struts ClassLoader Manipulation Remote Code Execution

Description

ParametersInterceptor in Apache Struts before 2.3.16.2 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.

Scan For This Vulnerability

Use our top-rated tool to discover, prioritize, and remediate your vulnerabilities

Free InsightVM Trial

References

BID-67064
CVE-2014-0112
DISA_SEVERITY-Category I
DISA_VMSKEY-V0052895
IAVM-2014-B-0090
URL: https://struts.apache.org/docs/s2-021.html

Solution

apache-struts-upgrade-latest

Related Vulnerabilities

Vulnerabilities deemed not relevant on Red Hat Enterprise Linux 5
Apache Struts: S2-021 (CVE-2014-0112): Security updates available for Apache Struts

Vulnerability & Exploit Database

Apache Struts Classloader arbitrary command execution (CVE-2014-0112)

Available Exploits

Description

Scan For This Vulnerability

References

Solution

Related Vulnerabilities

Legal

Resources & Help

Connect With Us

Stay in touch:

Quick Cookie Notification

Vulnerability & Exploit Database

Apache Struts Classloader arbitrary command execution (CVE-2014-0112)

Available Exploits

Description

Scan For This Vulnerability

References

Solution

Related Vulnerabilities

Legal

Resources & Help

Connect With Us

Stay in touch: