CVE-2014-0113

Description

CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.

Affected packages (1)

• Maven/org.apache.struts:struts2-corefrom 0, < 2.3.20

References (4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2014-0113
• PATCHhttps://github.com/apache/struts
• WEBhttps://cwiki.apache.org/confluence/display/WW/S2-021
• WEBhttp://www-01.ibm.com/support/docview.wss?uid=swg21676706