CVE-2014-0116

Name of the Vulnerable Software and Affected Versions Apache Struts versions prior to 2.3.20

Description The issue is related to the CookieInterceptor in Apache Struts, where an incomplete fix for a previous issue leads to improper access restriction to the getClass method when a wildcard cookiesName value is used. This allows remote attackers to manipulate the ClassLoader and modify session state via a crafted request. The vulnerability can be exploited by sending a specially crafted request, potentially allowing attackers to read, modify, or delete data.

Recommendations For versions prior to 2.3.20, update to version 2.3.20 or later to resolve the issue. As a temporary workaround, consider restricting access to the getClass method of the CookieInterceptor class until a patch is available. Avoid using wildcard values for the cookiesName parameter in the affected API endpoints until the issue is resolved.