Summary
ClassLoader Manipulation allows remote attackers to to execute arbitrary Java code
Impact
A remote attacker can execute arbitrary Java code via crafted parameters
Solution
Upgrade Apache Struts to 2.3.16.2 or higher.
Insight
The ParametersInterceptor allows remote attackers to manipulate the ClassLoader via the class parameter, which is passed to the getClass method.
Affected
Apache Struts 2.0.0 to 2.3.16.1
Detection
Check installed version or check the found apps.
References
Severity
Classification
-
CVE CVE-2014-0094, CVE-2014-0112 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- AlefMentor Multiple SQL Injection Vulnerabilities
- admin.cgi overflow
- Apache Archiva Multiple Remote Command Execution Vulnerabilities
- Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object Remote Code Execution
- Atlassian JIRA FishEye and Crucible Plugins XML Parsing Unspecified Security Vulnerability