Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wcmp2LWpqMjYtd2Y4aM4AATRB
ClassLoader manipulation in Apache Struts
ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
Permalink: https://github.com/advisories/GHSA-prjv-jj26-wf8hJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wcmp2LWpqMjYtd2Y4aM4AATRB
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 4 months ago
Identifiers: GHSA-prjv-jj26-wf8h, CVE-2014-0112
References:
- https://nvd.nist.gov/vuln/detail/CVE-2014-0112
- https://access.redhat.com/errata/RHSA-2019:0910
- https://bugzilla.redhat.com/show_bug.cgi?id=1091939
- https://cwiki.apache.org/confluence/display/WW/S2-021
- http://jvn.jp/en/jp/JVN19294237/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2014-000045
- http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html
- http://www-01.ibm.com/support/docview.wss?uid=swg21676706
- http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
- http://www.vmware.com/security/advisories/VMSA-2014-0007.html
- https://github.com/advisories/GHSA-prjv-jj26-wf8h
Affected Packages
maven:org.apache.struts:struts2-core
Dependent packages: 194Dependent repositories: 6,183
Downloads:
Affected Version Ranges: < 2.3.20
Fixed in: 2.3.20
All affected versions: 2.0.5, 2.0.6, 2.0.8, 2.0.9, 2.0.11, 2.0.12, 2.0.14, 2.1.2, 2.1.6, 2.1.8, 2.2.1, 2.2.3, 2.3.1, 2.3.3, 2.3.4, 2.3.7, 2.3.8, 2.3.12, 2.3.14, 2.3.15, 2.3.16
All unaffected versions: 2.3.20, 2.3.24, 2.3.28, 2.3.29, 2.3.30, 2.3.31, 2.3.32, 2.3.33, 2.3.34, 2.3.35, 2.3.36, 2.3.37, 2.5.1, 2.5.2, 2.5.5, 2.5.8, 2.5.10, 2.5.12, 2.5.13, 2.5.14, 2.5.16, 2.5.17, 2.5.18, 2.5.20, 2.5.22, 2.5.25, 2.5.26, 2.5.27, 2.5.28, 2.5.29, 2.5.30, 2.5.31, 2.5.32, 2.5.33, 6.0.0, 6.0.3, 6.1.1, 6.1.2, 6.2.0, 6.3.0