struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paul Benedict (JIRA)" <>
Subject [jira] [Created] (STR-3220) CVE-2014-0114: Class loader manipulation
Date Mon, 23 Jun 2014 22:04:24 GMT
Paul Benedict created STR-3220:

             Summary: CVE-2014-0114: Class loader manipulation
                 Key: STR-3220
             Project: Struts 1
          Issue Type: Bug
          Components: Core
    Affects Versions: 1.3.10, 1.2.9, 1.0.1
            Reporter: Paul Benedict
            Assignee: Paul Benedict
            Priority: Blocker
             Fix For: 1.1.2, 1.2.10, 1.3.11

The ActionForm object in Apache Struts 1.x through 1.3.10 allows remote attackers to "manipulate"
the ClassLoader and execute arbitrary code via the class parameter, which is passed to the
getClass method.

This message was sent by Atlassian JIRA

View raw message