CVE-2014-0114: Class Loader manipulation via request parameters

April 30, 2014 (updated May 14, 2024)

This package does not suppress the class property, which allows remote attackers to “manipulate” the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts

References

h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114
bugzilla.redhat.com/show_bug.cgi?id=1091938

Code Behaviors & Features

Detect and mitigate CVE-2014-0114 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →