CVE-2014-0113

EXPLOITED

Apache Struts <2.3.20 - RCE

Title source: llm

Description

CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotemultiple

https://www.exploit-db.com/exploits/33142

View Code ZIP pw:eip

References (5)

[Permissions Required] http://secunia.com/advisories/59178

[Third Party Advisory] http://www-01.ibm.com/support/docview.wss?uid=swg21676706

[Third Party Advisory] http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/531952/100/0/threaded

[Patch, Vendor Advisory] https://cwiki.apache.org/confluence/display/WW/S2-021

Scores

EPSS 0.8205

EPSS Percentile 99.2%

Details

VulnCheck KEV 2022-05-11

CWE

CWE-264

Status published

Products (2)

apache/struts 2.0.0 - 2.3.16.2

org.apache.struts/struts2-core 0 - 2.3.20Maven

Published Apr 29, 2014

Tracked Since Feb 18, 2026