Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1wcmp2LWpqMjYtd2Y4aM4AATRB

ClassLoader manipulation in Apache Struts

ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.

Permalink: https://github.com/advisories/GHSA-prjv-jj26-wf8h
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wcmp2LWpqMjYtd2Y4aM4AATRB
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 4 months ago

Identifiers: GHSA-prjv-jj26-wf8h, CVE-2014-0112
References:

Blast Radius: 0.0

Affected Packages

maven:org.apache.struts:struts2-core

Dependent packages: 194
Dependent repositories: 6,183
Downloads:
Affected Version Ranges: < 2.3.20
Fixed in: 2.3.20
All affected versions: 2.0.5, 2.0.6, 2.0.8, 2.0.9, 2.0.11, 2.0.12, 2.0.14, 2.1.2, 2.1.6, 2.1.8, 2.2.1, 2.2.3, 2.3.1, 2.3.3, 2.3.4, 2.3.7, 2.3.8, 2.3.12, 2.3.14, 2.3.15, 2.3.16
All unaffected versions: 2.3.20, 2.3.24, 2.3.28, 2.3.29, 2.3.30, 2.3.31, 2.3.32, 2.3.33, 2.3.34, 2.3.35, 2.3.36, 2.3.37, 2.5.1, 2.5.2, 2.5.5, 2.5.8, 2.5.10, 2.5.12, 2.5.13, 2.5.14, 2.5.16, 2.5.17, 2.5.18, 2.5.20, 2.5.22, 2.5.25, 2.5.26, 2.5.27, 2.5.28, 2.5.29, 2.5.30, 2.5.31, 2.5.32, 2.5.33, 6.0.0, 6.0.3, 6.1.1, 6.1.2, 6.2.0, 6.3.0