CVE-2014-0113

EXPLOITED

Apache Struts 2.0.0-2.3.16.1 and struts2-core < 2.3.20 - Remote Code Execution via CookieInterceptor

Title source: llm

Exploitation Summary

CVE-2014-0113 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including Metasploit.

AI-analyzed exploit summary This Metasploit module exploits CVE-2014-0113 in Apache Struts by manipulating the ClassLoader via crafted parameters, allowing remote code execution through JSP payload delivery.

Description

CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotemultiple

https://www.exploit-db.com/exploits/33142

View Code ZIP pw:eip

This Metasploit module exploits CVE-2014-0113 in Apache Struts by manipulating the ClassLoader via crafted parameters, allowing remote code execution through JSP payload delivery.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Struts < 2.3.16.2

No auth needed

Prerequisites: Exposed Struts application with vulnerable ParametersInterceptor · Network access to target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Patch, Vendor Advisory x_refsource_confirm

https://cwiki.apache.org/confluence/display/WW/S2-021

Permissions Required third-party-advisory x_refsource_secunia

http://secunia.com/advisories/59178

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/531952/100/0/threaded

Third Party Advisory x_refsource_confirm

http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

Third Party Advisory x_refsource_confirm

http://www-01.ibm.com/support/docview.wss?uid=swg21676706

Scores

EPSS 0.8222

EPSS Percentile 99.2%

Details

VulnCheck KEV 2022-05-11

CWE

CWE-264

Status published

Products (2)

apache/struts 2.0.0 - 2.3.16.2

org.apache.struts/struts2-core 0 - 2.3.20Maven

Published Apr 29, 2014

Tracked Since Feb 18, 2026