CVE-2014-0113

Name of the Vulnerable Software and Affected Versions Apache Struts versions prior to 2.3.20

Description The issue is related to the CookieInterceptor in Apache Struts, where an incomplete fix for a previous issue has led to a vulnerability. This vulnerability allows remote attackers to manipulate the ClassLoader and execute arbitrary code via a crafted request, due to insufficient access restrictions when handling wildcard cookiesName values. The exploitation requires the application to be configured to accept all cookies, allowing access to the class parameter directly mapped to the getClass() method.

Recommendations For Apache Struts versions prior to 2.3.20, update to version 2.3.20 or later to resolve the issue. As a temporary workaround, consider restricting access to the getClass method in the CookieInterceptor class until a patch is available. Avoid using wildcard values for the cookiesName parameter in the CookieInterceptor to minimize the risk of exploitation.