CVE-2014-0112 – org.apache.struts:struts2-core

Package

Manager: maven
Name: org.apache.struts:struts2-core
Vulnerable Version: >=0 <2.3.20

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.9166 pctl0.99667

Details

ClassLoader manipulation in Apache Struts ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.

Metadata

Created: 2022-05-14T00:54:16Z
Modified: 2023-12-28T19:02:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-prjv-jj26-wf8h/GHSA-prjv-jj26-wf8h.json
CWE IDs: []
Alternative ID: GHSA-prjv-jj26-wf8h
Finding: F004
Auto approve: 1