VDB
VAR-201404-0288
VAR-201404-0288
PUBLISHED
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | n/a | n/a |
Timeline
- Mar 7, 2011 CVE Published
- Mar 6, 2014 PoC Published
- Sep 6, 2015 PoC Published
- Feb 14, 2016 PoC Published
- May 29, 2018 PoC Published
- Feb 6, 2025 PoC Published
- Feb 23, 2025 PoC Published
- Aug 31, 2025 PoC Published
- Apr 16, 2026 Distribution Patch
- Apr 16, 2026 Distribution Patch
- Apr 16, 2026 Distribution Patch
- Apr 16, 2026 Security Advisory
References
- [apache-ignite-developers] 20180601 [CVE-2014-0114]: Apache Ignite is vulnerable to existing CVE-2014-0114 mailing-list
- 57477 third-party-advisory
- http://www.vmware.com/security/advisories/VMSA-2014-0008.html url
- https://issues.apache.org/jira/browse/BEANUTILS-463 url
- 58710 third-party-advisory
- MDVSA-2014:095 vendor-advisory
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html url
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html url
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html url
- http://www.vmware.com/security/advisories/VMSA-2014-0012.html url
- http://www-01.ibm.com/support/docview.wss?uid=swg21675689 url
- FEDORA-2014-9380 vendor-advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21674812 url
- https://security.netapp.com/advisory/ntap-20140911-0001/ url
- 59464 third-party-advisory
- 59118 third-party-advisory
- https://security.netapp.com/advisory/ntap-20180629-0006/ url
- http://www-01.ibm.com/support/docview.wss?uid=swg21675387 url
- https://access.redhat.com/solutions/869353 url
- https://bugzilla.redhat.com/show_bug.cgi?id=1091938 url
…and 99 more