VDB
CVE-2014-0114
CVE-2014-0114
PUBLISHED
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
EPSS 92.33% · 99.7th percentile
Risk Scores
EPSS Score
92.33%
99.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:Pro:16.04:LTS | commons-beanutils | 0, 1.9.2-1, 1.9.2-2 |
| Ubuntu:Pro:14.04:LTS | commons-beanutils | 1.9.1-1, 1.8.3-4, 1.9.0-1 |
| Ubuntu:Pro:18.04:LTS | commons-beanutils | 1.9.3-1, 0 |
Exploit Intelligence
- SERVER-APACHE Apache Struts ParametersInterceptor classloader access attempt (vulnetix)
- SERVER-APACHE Apache Struts ParametersInterceptor classloader access attempt (vulnetix)
- SERVER-APACHE Apache Struts ParametersInterceptor classloader access attempt (vulnetix)
- SERVER-APACHE Apache Struts ParametersInterceptor classloader access attempt (vulnetix)
- cve-2015-9251 (github-poc)
- cve-2015-9251 (github-poc)
- cve-2015-9251 (github-poc)
- cve-2015-9251 (github-poc)
- cve-2015-9251 (github-poc)
- cve-2015-9251 (github-poc)
…and 391 more exploits
Timeline
- CVE Published
- Mar 6, 2014 PoC Published
- Sep 6, 2015 PoC Published
- Feb 14, 2016 PoC Published
- Mar 23, 2017 PoC Published
- May 29, 2018 PoC Published
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- May 11, 2022 VulnCheck KEV Exploitation
- May 20, 2022 EPSS Score
- Jul 12, 2022 EPSS Score
- Sep 3, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2014-0114 third-party-advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1091938 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2014-0114 third-party-advisory
- https://ubuntu.com/security/notices/USN-4766-1 vendor-advisory