CVE-2014-0114

CVE-2014-0114

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Published Mar 28, 2017

rapid7.com Apache Jira · BEANUTILS-463

CVSS ScoreHigh

7.5

Vulnerabilities

CVE-2014-0114

Published Mar 28, 2017

rapid7.com Apache Jira · BEANUTILS-463

CVSS ScoreHigh

7.5

CVE-2014-0114 Security Details

CVE ID: CVE-2014-0114
CWE: CWE-20
CVE Description: Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Published: Mar 28, 2017
CVSS Score & Severity: 7.5High
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS Score: 92.332%
Malware: malware
KEV Status: Not in KEV Catalog: No known exploits
Vulnerable Methods: org/apache/commons/beanutils/BeanUtils.populate(Ljava/lang/Object;Ljava/util/Map;)V
JVM
org/apache/commons/beanutils/PropertyUtilsBean.resetBeanIntrospectors()V
JVM
Affected Ecosystems: affected
Source: National Vulnerability Database
References: rapid7.comATTACK
Apache Jira · BEANUTILS-463PROJECT

CVE-2014-0114 Security Details

CVE ID: CVE-2014-0114
CWE: CWE-20
CVE Description: Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Published: Mar 28, 2017
CVSS Score & Severity: 7.5High
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS Score: 92.332%
Malware: malware
KEV Status: Not in KEV Catalog: No known exploits
Vulnerable Methods: org/apache/commons/beanutils/BeanUtils.populate(Ljava/lang/Object;Ljava/util/Map;)V
JVM
org/apache/commons/beanutils/PropertyUtilsBean.resetBeanIntrospectors()V
JVM
Affected Ecosystems: affected
Source: National Vulnerability Database
References: rapid7.comATTACK
Apache Jira · BEANUTILS-463PROJECT

Find vulnerabilities. Fix fast with AI.

CVE-2014-0114

CVE-2014-0114 Security Details

CVE-2014-0114 Security Details