CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
99.9%
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar
in Apache Struts 1.x through 1.3.10 and in other products requiring
commons-beanutils through 1.9.2, does not suppress the class property,
which allows remote attackers to “manipulate” the ClassLoader and execute
arbitrary code via the class parameter, as demonstrated by the passing of
this parameter to the getClass method of the ActionForm object in Struts 1.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | commons-beanutils | < 1.9.3-1ubuntu0.1~esm1 | UNKNOWN |
ubuntu | 14.04 | noarch | commons-beanutils | < 1.9.1-1ubuntu0.1~esm1 | UNKNOWN |
ubuntu | 16.04 | noarch | commons-beanutils | < 1.9.2-3ubuntu0.1~esm1 | UNKNOWN |
ubuntu | 12.04 | noarch | libstruts1.2-java | < 1.2.9-5+deb7u1build0.12.04.1 | UNKNOWN |