CVE-2014-0114

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Apache Commons BeanUtils versions 1.8.0 through 1.9.2 Apache Struts versions 1.x through 1.3.10

Description The issue allows remote attackers to manipulate the ClassLoader and execute arbitrary code via the class parameter. This can be demonstrated by passing the class parameter to the getClass method of the ActionForm object in Struts 1. The vulnerability exists due to the possibility of accessing class properties in Apache Commons BeanUtils.

Recommendations For Apache Commons BeanUtils versions 1.8.0 through 1.9.2, consider disabling access to the class property to prevent ClassLoader manipulation until a patch is available. For Apache Struts versions 1.x through 1.3.10, restrict access to the getClass method of the ActionForm object to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

BDU:2015-00729

BDU:2015-04139

CVE-2014-0114

DLA-57-1

DSA-2940-1

GHSA-P66X-2CV9-QQ3V

MGASA-2014-0219

OPENSUSE-SU-2024:10617-1

RHSA-2014:0474

RHSA-2014:0500

RHSA-2014_0474

SUSE-RU-2015:0611-1

SUSE-SU-2014_0902-1

SUSE-SU-2015:0886-1

SUSE-SU-2025:02056-1

SUSE-SU-2025_02056-1

USN-4766-1

Affected Products

Apache Commons Beanutils

Apache Struts

Oracle Weblogic Server

Red Hat

Suse

Ubuntu

Vmware Vcenter

CVE-2014-0114

Weakness Enumeration

Related Identifiers

Affected Products

References · 207