Skip to content

ClassLoader manipulation in Apache Struts

Moderate severity GitHub Reviewed Published May 14, 2022 to the GitHub Advisory Database • Updated Dec 28, 2023

Package

maven org.apache.struts.xwork:xwork-core (Maven)

Affected versions

>= 2.0.0, < 2.3.16.2

Patched versions

2.3.16.2
maven org.apache.struts:struts2-core (Maven)
>= 2.0.0, < 2.3.16.2
2.3.16.2

Description

The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.

References

Published by the National Vulnerability Database Mar 11, 2014
Published to the GitHub Advisory Database May 14, 2022
Reviewed Nov 3, 2022
Last updated Dec 28, 2023

Severity

Moderate

EPSS score

97.044%
(100th percentile)

Weaknesses

No CWEs

CVE ID

CVE-2014-0094

GHSA ID

GHSA-vrwc-qjmw-5rjm

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.