Computer Security
[EN] securityvulns.ru no-pyccku


Apache Struts multiple security vulnerabilities
updated since 02.05.2014
Published:07.05.2014
Source:
SecurityVulns ID:13701
Type:remote
Threat Level:
6/10
Description:Few ClassLoader manipulation vulnerabilities with potential RCE impact.
Affected:APACHE : Struts 2.3
 APACHE : Struts 1.3
CVE:CVE-2014-0114 (The ActionForm object in Apache Struts 1.x through 1.3.10 allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, which is passed to the getClass method.)
 CVE-2014-0112 (ParametersInterceptor in Apache Struts before 2.3.16.2 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.)
 CVE-2014-0094 (The ParametersInterceptor in Apache Struts before 2.3.16.1 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.)
Original documentdocumentAPACHE, [ANN] Struts 2.3.16.3 GA release available - security fix (07.05.2014)
 documentAPACHE, [ANN][SECURITY] Struts 1 - CVE-2014-0114 -Mitigation Advice Available, Possible RCE Impact (02.05.2014)
 documentAPACHE, [ANN][SECURITY] ClassLoader manipulation issue confirmed for Struts 1 - CVE-2014-0114 (02.05.2014)
 documentAPACHE, [ANN] Struts 2.3.16.2 GA release available - security fix (02.05.2014)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod