CVE-2014-0094 | Vulnerability Database | Aqua Security

The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to manipulate the ClassLoader via the class parameter, which is passed to the getClass method.

Affected Software

Name	Vendor	Start Version	End Version
Struts	Apache	2.0.0 (including)	2.3.16.1 (excluding)
Libstruts1.2-java	Ubuntu	upstream	*

References

http://jvn.jp/en/jp/JVN19294237/index.html
http://jvndb.jvn.jp/jvndb/JVNDB-2014-000045
http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html
http://secunia.com/advisories/56440
http://secunia.com/advisories/59178
http://struts.apache.org/release/2.3.x/docs/s2-020.html
http://www-01.ibm.com/support/docview.wss?uid=swg21676706
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm
http://www.konakart.com/downloads/ver-7-3-0-0-whats-new
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
http://www.securityfocus.com/archive/1/531362/100/0/threaded
http://www.securityfocus.com/archive/1/532549/100/0/threaded
http://www.securityfocus.com/bid/65999
http://www.securitytracker.com/id/1029876
http://www.vmware.com/security/advisories/VMSA-2014-0007.html

NVD	https://nvd.nist.gov/vuln/detail/CVE-2014-0094
CWE	https://cwe.mitre.org/data/definitions/.html