CVE-2014-0094 — ClassLoader manipulation in Apache Struts

Description

The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.

How to fix CVE-2014-0094

To remediate CVE-2014-0094, upgrade the affected package to a fixed version below.

Maven/org.apache.struts:struts2-core—upgrade to 2.3.16.2 or later
Maven/org.apache.struts.xwork:xwork-core—upgrade to 2.3.16.2 or later

Is CVE-2014-0094 being exploited?

Likely — EPSS is 93.1%, placing CVE-2014-0094 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (2)

>= 2.0.0, < 2.3.16.2
>= 2.0.0, < 2.3.16.2

References (12)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-0094
PATCHgithub.com/apache/struts
WEBjvndb.jvn.jp/jvndb/JVNDB-2014-000045
WEBjvn.jp/en/jp/JVN19294237/index.html
WEB