CVE-2014-0112

Description

ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.

How to fix CVE-2014-0112

To remediate CVE-2014-0112, upgrade the affected package to a fixed version below.

• Maven/org.apache.struts:struts2-core—upgrade to 2.3.20 or later

Is CVE-2014-0112 being exploited?

Likely — EPSS is 91.5%, placing CVE-2014-0112 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

• from 0, < 2.3.20

References (11)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-0112
• PATCHgithub.com/apache/struts
• WEBjvndb.jvn.jp/jvndb/JVNDB-2014-000045
• WEBjvn.jp/en/jp/JVN19294237/index.html
• WEB