Versions Compared

Old Version 2

changes.mady.by.user Lukasz Lenart

Saved on

compared with

New Version 3

changes.mady.by.user Lukasz Lenart

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Who should read this

All Struts 2 developers and users

Impact of vulnerability

ClassLoader manipulation

Maximum security rating

ImportantHigh

Recommendation

Developers should immediately upgrade to Struts 2.3.16.2

Affected Software

Struts 2.0.0 - Struts 2.3.16.1

Reporter

Taki Uchiyama (JPCERT/CC), Takeshi Terada (Mitsui Bussan Secure Directions, Inc.), Takayoshi Isayama (Mitsui Bussan Secure Directions, Inc.),
Yoshiyuki Karezaki, BAKA/ty, Shine (1983059165 at qq.com), NSFOCUS Security Team

CVE Identifier

CVE-2014-0112 - Incomplete fix for ClassLoader manipulation via ParametersInterceptor

CVE-2014-0113 - ClassLoader manipulation via CookieInterceptor when configured to accept all cookies

...