Summary
ClassLoader Manipulation allows remote attackers to to execute arbitrary Java code
Impact
A remote attacker can execute arbitrary Java code via crafted parameters
Solution
Upgrade Apache Struts to 2.3.16.2 or higher.
Insight
The ParametersInterceptor allows remote attackers to manipulate the ClassLoader via the class parameter, which is passed to the getClass method.
Affected
Apache Struts 2.0.0 to 2.3.16.1
Detection
Check installed version or check the found apps.
References
Severity
Classification
-
CVE CVE-2014-0094, CVE-2014-0112 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Allegro RomPager `Misfortune Cookie` Vulnerability
- Advantech WebAccess Multiple Vulnerabilities
- AlstraSoft AskMe Pro 'forum_answer.php' and 'profile.php' Multiple SQL Injection Vulnerabilities
- Apache Axis2 Document Type Declaration Processing Security Vulnerability
- Adobe ColdFusion Directory Traversal Vulnerability