CVE-2014-0114

CVSS V2 High 7.5 CVSS V3 None
Description
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Overview
  • CVE ID
  • CVE-2014-0114
  • Assigner
  • secalert@redhat.com
  • Vulnerability Status
  • Modified
  • Published Version
  • 2014-04-30T10:49:03
  • Last Modified Date
  • 2023-02-13T00:32:29
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:apache:commons_beanutils:*:*:*:*:*:*:*:* 1 OR 1.9.1
cpe:2.3:a:apache:struts:1.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:struts:1.1:b1:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:struts:1.1:b2:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:struts:1.1:b3:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:struts:1.1:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:struts:1.1:rc2:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:struts:1.2.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:struts:1.2.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:struts:1.2.9:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:struts:1.3.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:struts:1.3.8:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:struts:1.3.10:*:*:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:L/Au:N/C:P/I:P/A:P
  • Access Vector
  • NETWORK
  • Access Compatibility
  • LOW
  • Authentication
  • NONE
  • Confidentiality Impact
  • PARTIAL
  • Integrity Impact
  • PARTIAL
  • Availability Impact
  • PARTIAL
  • Base Score
  • 7.5
  • Severity
  • HIGH
  • Exploitability Score
  • 10
  • Impact Score
  • 6.4
References
Reference URL Reference Tags
https://bugzilla.redhat.com/show_bug.cgi?id=1091938
http://secunia.com/advisories/59704
http://www-01.ibm.com/support/docview.wss?uid=swg21676303
https://issues.apache.org/jira/browse/BEANUTILS-463
https://bugzilla.redhat.com/show_bug.cgi?id=1116665
http://www-01.ibm.com/support/docview.wss?uid=swg21676931
http://secunia.com/advisories/59014
https://access.redhat.com/solutions/869353
http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt
http://openwall.com/lists/oss-security/2014/07/08/1
http://secunia.com/advisories/58851
http://openwall.com/lists/oss-security/2014/06/15/10
http://www-01.ibm.com/support/docview.wss?uid=swg21676375
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
http://secunia.com/advisories/60703
http://secunia.com/advisories/60177
http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
http://www.debian.org/security/2014/dsa-2940
http://marc.info/?l=bugtraq&m=141451023707502&w=2
http://www.vmware.com/security/advisories/VMSA-2014-0012.html
http://seclists.org/fulldisclosure/2014/Dec/23
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
http://www-01.ibm.com/support/docview.wss?uid=swg21676091
http://marc.info/?l=bugtraq&m=140119284401582&w=2
http://marc.info/?l=bugtraq&m=140801096002766&w=2
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
http://www.securityfocus.com/bid/67121
https://security.gentoo.org/glsa/201607-09
http://www-01.ibm.com/support/docview.wss?uid=swg27042296
http://www-01.ibm.com/support/docview.wss?uid=swg21677110
http://www-01.ibm.com/support/docview.wss?uid=swg21676110
http://www-01.ibm.com/support/docview.wss?uid=swg21675972
http://www-01.ibm.com/support/docview.wss?uid=swg21675898
http://www-01.ibm.com/support/docview.wss?uid=swg21675689
http://www-01.ibm.com/support/docview.wss?uid=swg21675387
http://www-01.ibm.com/support/docview.wss?uid=swg21675266
http://www-01.ibm.com/support/docview.wss?uid=swg21674812
http://www-01.ibm.com/support/docview.wss?uid=swg21674128
http://www.vmware.com/security/advisories/VMSA-2014-0008.html
http://www.mandriva.com/security/advisories?name=MDVSA-2014:095
http://www.ibm.com/support/docview.wss?uid=swg21675496
http://secunia.com/advisories/59718
http://secunia.com/advisories/59480
http://secunia.com/advisories/59479
http://secunia.com/advisories/59464
http://secunia.com/advisories/59430
http://secunia.com/advisories/59246
http://secunia.com/advisories/59245
http://secunia.com/advisories/59228
http://secunia.com/advisories/59118
http://secunia.com/advisories/58947
http://secunia.com/advisories/58710
http://secunia.com/advisories/57477
http://advisories.mageia.org/MGASA-2014-0219.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
https://security.netapp.com/advisory/ntap-20140911-0001/
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2014-0114-Apache-Ignite-is-vulnerable-to-existing-CVE-2014-0114-td31205.html
https://security.netapp.com/advisory/ntap-20180629-0006/
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
https://access.redhat.com/errata/RHSA-2018:2669
http://www.securityfocus.com/archive/1/534161/100/0/threaded
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E
https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a@%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263@%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f@%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5@%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3@%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1@%3Cdev.commons.apache.org%3E
https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3@%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e@%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859@%3Cdev.commons.apache.org%3E
https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3@%3Cnotifications.commons.apache.org%3E
https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639@%3Ccommits.commons.apache.org%3E
https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346@%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd@%3Ccommits.commons.apache.org%3E
https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0@%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883@%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f@%3Cnotifications.commons.apache.org%3E
https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86@%3Cdev.commons.apache.org%3E
https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64@%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8@%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a@%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0@%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3@%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb@%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f@%3Cissues.commons.apache.org%3E
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6@%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f@%3Cuser.commons.apache.org%3E
https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25@%3Cdev.commons.apache.org%3E
https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b@%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478@%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40@%3Cgitbox.activemq.apache.org%3E
https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30@%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5@%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0@%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5@%3Ccommits.commons.apache.org%3E
https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c@%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6@%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4@%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293@%3Cissues.commons.apache.org%3E
https://access.redhat.com/errata/RHSA-2019:2995
https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226@%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E
https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e@%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E
https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55@%3Csolr-user.lucene.apache.org%3E
https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477@%3Ccommits.dolphinscheduler.apache.org%3E
History
Created Old Value New Value Data Type Notes
2022-05-10 07:26:03 Added to TrackCVE
2022-12-01 22:55:04 2014-04-30T10:49Z 2014-04-30T10:49:03 CVE Published Date updated
2022-12-01 22:55:04 2021-01-26T18:15:22 CVE Modified Date updated
2022-12-01 22:55:04 Modified Vulnerability Status updated
2023-02-13 01:04:44 2023-02-13T00:32:29 CVE Modified Date updated