DEBIAN-CVE-2014-0114

DEBIAN-CVE-2014-0114 PUBLISHED CVSS 9.300000190734863 CRITICAL

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Risk Scores

CVSS 4.0

9.300000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products

Vendor	Product	Versions
Debian:14	commons-beanutils	0, 0, 0
Debian:11	commons-beanutils	0, 0, 0
Debian:12	commons-beanutils	0, 0, 0
Debian:13	commons-beanutils	0, 0, 0

Exploit Intelligence

security.xml (github-poc)
cve-suppress.xml (github-poc)
druid-612f0710.json (github-poc)

Timeline

Apr 30, 2014 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2014-0114 advisory

Open in Interactive Console →