CVE-2014-0116
Apache Struts 2.x < 2.3.20 - Remote Code Execution via CookieInterceptor ClassLoader Manipulation
Title source: llmDescription
CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113.
References (5)
Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/67218
Various Sources x_refsource_confirm
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/59816
Release Notes x_refsource_confirm
http://struts.apache.org/release/2.3.x/docs/s2-022.html
Vendor Advisory x_refsource_confirm
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
Scores
EPSS
0.0283
EPSS Percentile
86.4%
Details
CWE
CWE-264
Status
published
Products (50)
apache/struts
2.0.0
apache/struts
2.0.1
apache/struts
2.0.2
apache/struts
2.0.3
apache/struts
2.0.4
apache/struts
2.0.5
apache/struts
2.0.6
apache/struts
2.0.7
apache/struts
2.0.8
apache/struts
2.0.9
... and 40 more
Published
May 08, 2014
Tracked Since
Feb 18, 2026