CVE-2014-0114
libstruts1.2-java - security update
EPSS 92.3%
Description
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
How to fix CVE-2014-0114
To remediate CVE-2014-0114, upgrade the affected package to a fixed version below.
- Debian/commons-beanutils—upgrade to 1.9.2-1 or later
- —upgrade to 1.2.9-4+deb6u1 or later
- —upgrade to 1.2.9-5+deb7u1 or later
- —upgrade to 1.9.4 or later
Is CVE-2014-0114 being exploited?
Likely — EPSS is 92.3%, placing CVE-2014-0114 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (4)
- from 0, < 1.9.2-1
- from 0, < 1.2.9-4+deb6u1
- from 0, < 1.2.9-5+deb7u1
- >= 1.8.0, < 1.9.4