CVE-2014-0114 — Vulnetix

Try Vulnetix Request Demo

CVE-2014-0114 PUBLISHED

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

EPSS 92.74% · 99.8th percentile

Risk Scores

EPSS Score

92.74%

99.8th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:Pro:16.04:LTS	commons-beanutils	0, 1.9.2-1, 1.9.2-2
Ubuntu:Pro:14.04:LTS	commons-beanutils	0, 1.8.3-4, 1.9.0-1
Ubuntu:Pro:18.04:LTS	commons-beanutils	0, 1.9.3-1

Timeline

CVE Published
Mar 6, 2014 PoC Published
Sep 6, 2015 PoC Published
Feb 14, 2016 PoC Published
Mar 23, 2017 PoC Published
May 29, 2018 PoC Published
Feb 4, 2022 EPSS Score
Mar 28, 2022 EPSS Score
May 11, 2022 VulnCheck KEV Exploitation
May 19, 2022 EPSS Score
Jul 10, 2022 EPSS Score
Sep 1, 2022 EPSS Score

References

https://ubuntu.com/security/CVE-2014-0114 third-party-advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1091938 third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2014-0114 third-party-advisory
https://ubuntu.com/security/notices/USN-4766-1 vendor-advisory

Open in Interactive Console →