CVE-2014-0113 — ClassLoader manipulation in Apache Struts

Description

CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.

How to fix CVE-2014-0113

To remediate CVE-2014-0113, upgrade the affected package to a fixed version below.

Maven/org.apache.struts:struts2-core—upgrade to 2.3.20 or later

Is CVE-2014-0113 being exploited?

Likely — EPSS is 82.2%, placing CVE-2014-0113 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

from 0, < 2.3.20

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-0113
PATCHgithub.com/apache/struts
WEBcwiki.apache.org/confluence/display/WW/S2-021
WEBwww-01.ibm.com/support/docview.wss?uid=swg21676706