CookieInterceptor in Apache Struts before 2.3.16.2, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to “manipulate” the ClassLoader and execute arbitrary code via a crafted request. (CVE-2014-0113)
Impact
None. F5 products do not use the affected Apache Struts version.