Lucene search
RedhatCVE-2014-0116HistoryMay 08, 2014 - 10:55 a.m.
CVE-2014-0116
2014-05-0810:55:02
CWE-264
redhat
web.nvd.nist.gov
76
cve-2014-0116
cookieinterceptor
apache struts 2.x
session state manipulation
remote attackers
classloader manipulation
security vulnerability
CVSS2
5.8
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
AI Score
6.1
Confidence
High
EPSS
0.969
Percentile
99.7%
CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to “manipulate” the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113.
Affected configurations
Node
apachestrutsMatch2.0.0
ORapachestrutsMatch2.0.1
ORapachestrutsMatch2.0.2
ORapachestrutsMatch2.0.3
ORapachestrutsMatch2.0.4
ORapachestrutsMatch2.0.5
ORapachestrutsMatch2.0.6
ORapachestrutsMatch2.0.7
ORapachestrutsMatch2.0.8
ORapachestrutsMatch2.0.9
ORapachestrutsMatch2.0.10
ORapachestrutsMatch2.0.11
ORapachestrutsMatch2.0.11.1
ORapachestrutsMatch2.0.11.2
ORapachestrutsMatch2.0.12
ORapachestrutsMatch2.0.13
ORapachestrutsMatch2.0.14
ORapachestrutsMatch2.1.0
ORapachestrutsMatch2.1.1
ORapachestrutsMatch2.1.2
ORapachestrutsMatch2.1.3
ORapachestrutsMatch2.1.4
ORapachestrutsMatch2.1.5
ORapachestrutsMatch2.1.6
ORapachestrutsMatch2.1.8
ORapachestrutsMatch2.1.8.1
ORapachestrutsMatch2.2.1
ORapachestrutsMatch2.2.1.1
ORapachestrutsMatch2.2.3
ORapachestrutsMatch2.2.3.1
ORapachestrutsMatch2.3.1
ORapachestrutsMatch2.3.1.1
ORapachestrutsMatch2.3.1.2
ORapachestrutsMatch2.3.3
ORapachestrutsMatch2.3.4
ORapachestrutsMatch2.3.4.1
ORapachestrutsMatch2.3.7
ORapachestrutsMatch2.3.8
ORapachestrutsMatch2.3.12
ORapachestrutsMatch2.3.14
ORapachestrutsMatch2.3.14.1
ORapachestrutsMatch2.3.14.2
ORapachestrutsMatch2.3.14.3
ORapachestrutsMatch2.3.15
ORapachestrutsMatch2.3.15.1
ORapachestrutsMatch2.3.15.2
ORapachestrutsMatch2.3.15.3
ORapachestrutsMatch2.3.16
ORapachestrutsMatch2.3.16.1
ORapachestrutsMatch2.3.16.2
| Vendor | Product | Version | CPE |
|---|---|---|---|
| apache | struts | 2.0.0 | cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:* |
| apache | struts | 2.0.1 | cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:* |
| apache | struts | 2.0.2 | cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:* |
| apache | struts | 2.0.3 | cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:* |
| apache | struts | 2.0.4 | cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:* |
| apache | struts | 2.0.5 | cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:* |
| apache | struts | 2.0.6 | cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:* |
| apache | struts | 2.0.7 | cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:* |
| apache | struts | 2.0.8 | cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:* |
| apache | struts | 2.0.9 | cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:* |
Related
prion
prion
Design/Logic Flaw
2014-05-08 10:55:00
Design/Logic Flaw
2014-04-29 10:37:00
ubuntucve
ubuntucve
CVE-2014-0116
2014-05-08 00:00:00
CVE-2014-0113
2014-04-29 00:00:00
cvelist
cvelist
CVE-2014-0116
2014-05-08 10:00:00
CVE-2014-0113
2014-04-29 10:00:00
osv
osv
ClassLoader manipulation in Apache Struts
2022-05-14 00:54:14
ClassLoader manipulation in Apache Struts
2022-05-14 00:54:15
github
github
ClassLoader manipulation in Apache Struts
2022-05-14 00:54:14
ClassLoader manipulation in Apache Struts
2022-05-14 00:54:15
nvd
nvd
CVE-2014-0116
2014-05-08 10:55:02
CVE-2014-0113
2014-04-29 10:37:03
nessus
nessus
Apache Struts 2 CookieInterceptor Unspecified Security Bypass (S2-022)
2014-05-09 00:00:00
MySQL Enterprise Monitor < 2.3.17 Multiple Vulnerabilities
2015-05-08 00:00:00
MySQL Enterprise Monitor 3.0.x < 3.0.11 Multiple Vulnerabilities
2015-05-08 00:00:00
ibm
ibm
Security Bulletin: IBM Platform Symphony (CVE-2014-0094, CVE-2014-0112, CVE-2014-0113, CVE-2014-0116)
2018-06-18 01:25:07
openvas
openvas
Apache Struts Security Update (S2-021, S2-022, S2-023, S2-025)
2019-08-28 00:00:00
Apache Struts ClassLoader Manipulation Vulnerabilities (S2-021) - Linux
2019-08-28 00:00:00
huawei
huawei
Security Advisory-Apache Struts2 vulnerability on Huawei multiple products
2014-07-07 00:00:00
f5
f5
K15262 : Apache Struts vulnerability CVE-2014-0113
2014-05-15 00:00:00
SOL14933 - Apache Struts vulnerability CVE-2013-2251
2014-01-20 00:00:00
SOL15261 - Apache Struts vulnerability CVE-2014-0112
2014-05-15 00:00:00
cve
cve
CVE-2014-0113
2014-04-29 10:37:03
veracode
veracode
Class Loader Manipulation With CookieInterceptor
2014-06-06 18:13:23
exploitdb
exploitdb
Apache Struts - ClassLoader Manipulation Remote Code Execution (Metasploit)
2014-05-02 00:00:00
checkpoint_advisories
checkpoint_advisories
oracle
oracle
Oracle Critical Patch Update - April 2015
2015-04-14 00:00:00
CVSS2
5.8
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
AI Score
6.1
Confidence
High
EPSS
0.969
Percentile
99.7%
Related for CVE-2014-0116