Entreprise d'experts en Sécurité Informatique : Audits et conseils en cybersécurité
Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com


CVE-2014-0094

Description

The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.

POC

Reference

- http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html

- http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

Github

- https://github.com/20142995/pocsuite3

- https://github.com/HasegawaTadamitsu/CVE-2014-0094-test-program-for-struts1

- https://github.com/aenlr/strutt-cve-2014-0114

- https://github.com/alexsh88/victims

- https://github.com/fupinglee/Struts2_Bugs

- https://github.com/julianvilas/rooted2k15

- https://github.com/klee94/maven-security-versions-Travis

- https://github.com/tmpgit3000/victims

- https://github.com/victims/maven-security-versions

- https://github.com/y0d3n/CVE-2014-0094