7.5
CVSSv2

CVE-2014-0112

Published: 29/04/2014 Updated: 12/08/2019
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
VMScore: 801
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

ParametersInterceptor in Apache Struts prior to 2.3.20 does not properly restrict access to the getClass method, which allows remote malicious users to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.

Vulnerability Trend

Affected Products

Vendor Product Versions
ApacheStruts2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.11.1, 2.0.11.2, 2.0.12, 2.0.13, 2.0.14, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.8.1, 2.2.1, 2.2.1.1, 2.2.3, 2.2.3.1, 2.3.0, 2.3.1, 2.3.1.1, 2.3.1.2, 2.3.3, 2.3.4, 2.3.4.1, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 2.3.11, 2.3.12, 2.3.13, 2.3.14, 2.3.14.1, 2.3.14.2, 2.3.14.3, 2.3.15, 2.3.15.1, 2.3.15.2, 2.3.15.3, 2.3.16, 2.3.16.1

Vendor Advisories

Synopsis Important: Red Hat Fuse 73 security update Type/Severity Security Advisory: Important Topic A minor version update (from 72 to 73) is now available for Red Hat Fuse The purpose of this text-only errata is to inform you about the security issues fixed in this releaseRed Hat Product Security has ...
ParametersInterceptor in Apache Struts before 23162 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094 ...
Oracle Critical Patch Update Advisory - April 2015 Description A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory Thus, prior Critical Patch ...

Exploits

## # This module requires Metasploit: http//metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ManualRanking # It's going to manipulate the Class Loader include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include ...
## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ManualRanking # It's going to manipulate the Class Loader include Msf::Exploit::FileDropper include Msf::Exploit::EXE include M ...

Metasploit Modules

Apache Struts ClassLoader Manipulation Remote Code Execution

This module exploits a remote command execution vulnerability in Apache Struts versions 1.x (<= 1.3.10) and 2.x (< 2.3.16.2). In Struts 1.x the problem is related with the ActionForm bean population mechanism while in case of Struts 2.x the vulnerability is due to the ParametersInterceptor. Both allow access to 'class' parameter that is directly mapped to getClass() method and allows ClassLoader manipulation. As a result, this can allow remote attackers to execute arbitrary Java code via crafted parameters.

msf > use exploit/multi/http/struts_code_exec_classloader
      msf exploit(struts_code_exec_classloader) > show targets
            ...targets...
      msf exploit(struts_code_exec_classloader) > set TARGET <target-id>
      msf exploit(struts_code_exec_classloader) > show options
            ...show and set options...
      msf exploit(struts_code_exec_classloader) > exploit

Github Repositories

CVE-2014-0114 - Sårbarhet i Struts 1 Parametrar i en POST- eller GET-request hanteras som egenskaper (properties) som ska sättas med formuläret som utgångspunkt Parametrar kan vara en sökväg till ett nästlat objekt Apache Struts 1x kan manipuleras att anropa getClass() på Form Beans Tex kan man direkt manipulera attribut på

Maven Security Versions Identify vulnerable libraries in Maven dependencies The plugin is based on versions-maven-plugin It use the victims database has source for CVEs and Maven artifact mapping Usage &gt; mvn comredhatvictimsmaven:security-versions:check [INFO] Scanning for projects [INFO] [INFO] -----------------------------------------------------------------

Maven Security Versions Identify vulnerable libraries in Maven dependencies The plugin is based on versions-maven-plugin It use the victims database has source for CVEs and Maven artifact mapping Usage &gt; mvn comredhatvictimsmaven:security-versions:check [INFO] Scanning for projects [INFO] [INFO] -----------------------------------------------------------------

Recent Articles

VMware Patches Apache Struts Flaws in vCOPS
Threatpost • Dennis Fisher • 25 Jun 2014

VMware has patched several serious security vulnerabilities in its vCenter Operations Center Management suite, one of which could lead to remote code execution on vulnerable machines.
All of the vulnerabilities that the company patched lie in the Apache Struts Java application framework, and the most serious of them is CVE-2014-0112, which allows an attacker to run arbitrary code.
“ParametersInterceptor in Apache Struts before 2.3.16.2 does not properly restrict access to the getCl...