CVE-2014-0112
EXPLOITEDApache Struts <2.3.20 - RCE
Title source: llmDescription
ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
Exploits (3)
metasploit
WORKING POC
MANUAL
by Mark Thomas, Przemyslaw Celej · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_classloader.rb
References (14)
Scores
EPSS
0.9142
EPSS Percentile
99.7%
Details
VulnCheck KEV
2022-05-11
CWE
CWE-264
Status
published
Products (2)
apache/struts
2.0.0 - 2.3.16.2
org.apache.struts/struts2-core
0 - 2.3.20Maven
Published
Apr 29, 2014
Tracked Since
Feb 18, 2026