CVE-2014-0094

The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.

Published Bysecalert@redhat.com

Published DateMar 11, 2014, 13:00

Affected Versions(2)

org.apache.struts:struts2-core(Maven)

Introduced2.0.0

Fixed2.3.16.2

LimitN/A

org.apache.struts.xwork:xwork-core(Maven)

Introduced2.0.0

Fixed2.3.16.2

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.apache.struts:struts2-core(Maven)	2.0.0	2.3.16.2	N/A
org.apache.struts.xwork:xwork-core(Maven)	2.0.0	2.3.16.2	N/A

Weakness Type (CWE):NVD-CWE-noinfo

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:N/C:N/I:P/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

NONE

Integrity (I)

PARTIAL

Availability (A)

NONE

References

Weakness Type (CWE):NVD-CWE-noinfo

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:N/C:N/I:P/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

NONE

Integrity (I)

PARTIAL

Availability (A)

NONE