CVE-2014-0116 — ClassLoader manipulation in Apache Struts

Description

CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113.

How to fix CVE-2014-0116

To remediate CVE-2014-0116, upgrade the affected package to a fixed version below.

Maven/org.apache.struts:struts2-core—upgrade to 2.3.20 or later

Is CVE-2014-0116 being exploited?

Low — EPSS is 2.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.3.20

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-0116
PATCHgithub.com/apache/struts
WEBgithub.com/apache/struts/commit/1a668af7f1ffccea4a3b46d8d8c1fe1c7331ff02
WEBstruts.apache.org/release/2.3.x/docs/s2-022.html