CVE-2014-0114

EXPLOITED

Apache Commons BeanUtils <1.9.2 - RCE

Title source: llm

Description

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/41690
nomisec WORKING POC 12 stars
by rgielen · poc
https://github.com/rgielen/struts1filter
nomisec WRITEUP 2 stars
by aenlr · poc
https://github.com/aenlr/strutt-cve-2014-0114
nomisec WRITEUP 1 stars
by ricedu · poc
https://github.com/ricedu/struts1-patch

References (119)

... and 99 more

Scores

EPSS 0.9274
EPSS Percentile 99.8%

Details

VulnCheck KEV 2022-05-11
CWE
CWE-20
Status published
Products (14)
apache/commons_beanutils < 1.9.1
apache/struts 1.0
apache/struts 1.0.2
apache/struts 1.1 (6 CPE variants)
apache/struts 1.2.2
apache/struts 1.2.4
apache/struts 1.2.6
apache/struts 1.2.7
apache/struts 1.2.8
apache/struts 1.2.9
... and 4 more
Published Apr 30, 2014
Tracked Since Feb 18, 2026