Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12cndjLXFqbXctNXJqbc4AATRA
ClassLoader manipulation in Apache Struts
The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.
Permalink: https://github.com/advisories/GHSA-vrwc-qjmw-5rjmJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12cndjLXFqbXctNXJqbc4AATRA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 12 months ago
EPSS Percentage: 0.97044
EPSS Percentile: 0.998
Identifiers: GHSA-vrwc-qjmw-5rjm, CVE-2014-0094
References:
- https://nvd.nist.gov/vuln/detail/CVE-2014-0094
- http://jvn.jp/en/jp/JVN19294237/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2014-000045
- http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html
- http://struts.apache.org/release/2.3.x/docs/s2-020.html
- http://www-01.ibm.com/support/docview.wss?uid=swg21676706
- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm
- http://www.konakart.com/downloads/ver-7-3-0-0-whats-new
- http://www.vmware.com/security/advisories/VMSA-2014-0007.html
- https://github.com/apache/struts/commit/2e2da292166adbc78c4cb1e308b30ddb4fba6d3f
- https://github.com/apache/struts/commit/6315241719be167542962da436b38782ed730c62
- https://github.com/advisories/GHSA-vrwc-qjmw-5rjm
Blast Radius: 0.0
Affected Packages
maven:org.apache.struts.xwork:xwork-core
Dependent packages: 59Dependent repositories: 484
Downloads:
Affected Version Ranges: >= 2.0.0, < 2.3.16.2
Fixed in: 2.3.16.2
All affected versions: 2.2.1, 2.2.3, 2.3.1-4.1, 2.3.1-4.2, 2.3.1-4.3, 2.3.1-5.1, 2.3.1-5.2, 2.3.1-5.3, 2.3.1-6.1
All unaffected versions: 2.3.1, 2.3.3, 2.3.4, 2.3.7, 2.3.8, 2.3.12, 2.3.14, 2.3.15, 2.3.16, 2.3.20, 2.3.24, 2.3.28, 2.3.29, 2.3.30, 2.3.31, 2.3.32, 2.3.33, 2.3.34, 2.3.35, 2.3.36, 2.3.37
maven:org.apache.struts:struts2-core
Dependent packages: 194Dependent repositories: 6,183
Downloads:
Affected Version Ranges: >= 2.0.0, < 2.3.16.2
Fixed in: 2.3.16.2
All affected versions: 2.0.5, 2.0.6, 2.0.8, 2.0.9, 2.0.11, 2.0.12, 2.0.14, 2.1.2, 2.1.6, 2.1.8, 2.2.1, 2.2.3, 2.3.1-4.1, 2.3.1-4.2, 2.3.1-4.3, 2.3.1-5.1, 2.3.1-5.2, 2.3.1-5.3, 2.3.1-6.1
All unaffected versions: 2.3.1, 2.3.3, 2.3.4, 2.3.7, 2.3.8, 2.3.12, 2.3.14, 2.3.15, 2.3.16, 2.3.20, 2.3.24, 2.3.28, 2.3.29, 2.3.30, 2.3.31, 2.3.32, 2.3.33, 2.3.34, 2.3.35, 2.3.36, 2.3.37, 2.5.1, 2.5.2, 2.5.5, 2.5.8, 2.5.10, 2.5.12, 2.5.13, 2.5.14, 2.5.16, 2.5.17, 2.5.18, 2.5.20, 2.5.22, 2.5.25, 2.5.26, 2.5.27, 2.5.28, 2.5.29, 2.5.30, 2.5.31, 2.5.32, 2.5.33, 6.0.0, 6.0.3, 6.1.1, 6.1.2, 6.2.0, 6.3.0, 6.4.0, 6.6.0, 6.6.1, 6.7.0