Paul Benedict created STR-3220:
----------------------------------
Summary: CVE-2014-0114: Class loader manipulation
Key: STR-3220
URL: https://issues.apache.org/jira/browse/STR-3220
Project: Struts 1
Issue Type: Bug
Components: Core
Affects Versions: 1.3.10, 1.2.9, 1.0.1
Reporter: Paul Benedict
Assignee: Paul Benedict
Priority: Blocker
Fix For: 1.1.2, 1.2.10, 1.3.11
The ActionForm object in Apache Struts 1.x through 1.3.10 allows remote attackers to "manipulate"
the ClassLoader and execute arbitrary code via the class parameter, which is passed to the
getClass method.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
--
This message was sent by Atlassian JIRA
(v6.2#6252)
|