Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
CVE-2014-0114 - High Severity Vulnerability
struts-core-1.3.8.jar
Apache Struts
Library home page: http://struts.apache.org
Path to vulnerable library: /root/.m2/repository/org/apache/struts/struts-core/1.3.8/struts-core-1.3.8.jar
Dependency Hierarchy: - maven-reporting-impl-2.3.jar (Root Library) - doxia-site-renderer-1.4.jar - velocity-tools-2.0.jar - :x: **struts-core-1.3.8.jar** (Vulnerable Library)
commons-beanutils-1.7.0.jar
null
Path to vulnerable library: /root/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar
Dependency Hierarchy: - maven-reporting-impl-2.3.jar (Root Library) - doxia-core-1.2.jar - commons-validator-1.3.1.jar - :x: **commons-beanutils-1.7.0.jar** (Vulnerable Library)
Found in HEAD commit: 1c0c1fb657845073b28de98c18338a5a470b0586
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Publish Date: 2014-04-30
URL: CVE-2014-0114
Base Score Metrics not available
Type: Upgrade version
Origin: https://security.gentoo.org/glsa/201607-09
Release Date: 2016-07-20
Fix Resolution: All Commons BeanUtils users should upgrade to the latest version >= commons-beanutils-1.9.2