CVE-2014-0112

Name of the Vulnerable Software and Affected Versions Apache Struts versions prior to 2.3.20

Description The issue is related to the ParametersInterceptor in Apache Struts, which does not properly restrict access to the getClass method. This allows remote attackers to manipulate the ClassLoader and execute arbitrary code via a crafted request. The vulnerability exists due to an incomplete fix for a previous issue. It is related to the implementation of the getClass method, which has access control deficiencies when using the ParametersInterceptor with the class parameter. Exploitation of this vulnerability can allow a remote attacker to execute arbitrary code by sending a specially crafted request.

Recommendations For Apache Struts versions prior to 2.3.20, update to version 2.3.20 or later to resolve the issue. As a temporary workaround, consider restricting access to the getClass() method via the ParametersInterceptor to minimize the risk of exploitation. Restrict access to the class parameter in the affected API endpoint to prevent manipulation of the ClassLoader.