Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2014-0094

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2014-0094
Last Modified 16 Apr 2015 09:59:05
Published 11 Mar 2014 09:00:37
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2014-0094

Summary

The ParametersInterceptor in Apache Struts before 2.3.16.1 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.

Vulnerable Systems

Application

  • Apache Struts 2.0.0

  • Apache Struts 2.0.1

  • Apache Struts 2.0.10

  • Apache Struts 2.0.11

  • Apache Struts 2.0.11.1

  • Apache Struts 2.0.11.2

  • Apache Struts 2.0.12

  • Apache Struts 2.0.13

  • Apache Struts 2.0.14

  • Apache Struts 2.0.2

  • Apache Struts 2.0.3

  • Apache Struts 2.0.4

  • Apache Struts 2.0.5

  • Apache Struts 2.0.6

  • Apache Struts 2.0.7

  • Apache Struts 2.0.8

  • Apache Struts 2.0.9

  • Apache Struts 2.1.0

  • Apache Struts 2.1.1

  • Apache Struts 2.1.2

  • Apache Struts 2.1.3

  • Apache Struts 2.1.4

  • Apache Struts 2.1.5

  • Apache Struts 2.1.6

  • Apache Struts 2.1.8

  • Apache Struts 2.1.8.1

  • Apache Struts 2.2.1

  • Apache Struts 2.2.1.1

  • Apache Struts 2.2.3

  • Apache Struts 2.2.3.1

  • Apache Struts 2.3.1

  • Apache Struts 2.3.1.1

  • Apache Struts 2.3.1.2

  • Apache Struts 2.3.12

  • Apache Struts 2.3.14

  • Apache Struts 2.3.14.1

  • Apache Struts 2.3.14.2

  • Apache Struts 2.3.14.3

  • Apache Struts 2.3.15

  • Apache Struts 2.3.15.1

  • Apache Struts 2.3.15.2

  • Apache Struts 2.3.15.3

  • Apache Struts 2.3.16

  • Apache Struts 2.3.3

  • Apache Struts 2.3.4

  • Apache Struts 2.3.4.1

  • Apache Struts 2.3.7

  • Apache Struts 2.3.8


References

SECTRACK - 1029876

BID - 65999

BUGTRAQ - 20140306 [ANN] Struts 2.3.16.1 GA release available - security fix

CONFIRM - http://struts.apache.org/release/2.3.x/docs/s2-020.html

SECUNIA - 56440

JVNDB - JVNDB-2014-000045

JVN - JVN#19294237

CONFIRM - http://www.vmware.com/security/advisories/VMSA-2014-0007.html

BUGTRAQ - 20140625 NEW VMSA-2014-0007 - VMware product updates address security vulnerabilities in Apache Struts library

MISC - http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html

CONFIRM - http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm

CONFIRM - http://www.konakart.com/downloads/ver-7-3-0-0-whats-new

CONFIRM - http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html


Last Updated: 27 May 2016 11:04:36