ID

VAR-201404-0287


CVE

CVE-2014-0113


TITLE

Apache Struts of CookieInterceptor In ClassLoader Vulnerability manipulated

Trust: 0.8

sources: JVNDB: JVNDB-2014-002269

DESCRIPTION

CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094. This vulnerability CVE-2014-0094 Vulnerability due to insufficient fix for.Through a crafted request by a third party, ClassLoader The " operation (manipulate)" And any code could be executed. Apache Struts is prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. Apache Struts versions 2.0.0 through 2.3.16.1 are vulnerable

Trust: 1.98

sources: NVD: CVE-2014-0113 // JVNDB: JVNDB-2014-002269 // BID: 67081 // VULMON: CVE-2014-0113

AFFECTED PRODUCTS

vendor:apachemodel:strutsscope:ltversion:2.3.16.2

Trust: 1.8

vendor:ibmmodel:connectionsscope:eqversion:5.0

Trust: 1.1

vendor:ibmmodel:connectionsscope:eqversion:4.5

Trust: 1.1

vendor:ibmmodel:connectionsscope:eqversion:4.0

Trust: 1.1

vendor:apachemodel:strutsscope:gteversion:2.0.0

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.3.4

Trust: 0.9

vendor:apachemodel:strutsscope:eqversion:2.3.8

Trust: 0.9

vendor:apachemodel:strutsscope:eqversion:2.3.7

Trust: 0.9

vendor:apachemodel:strutsscope:eqversion:2.3.16.1

Trust: 0.9

vendor:apachemodel:strutsscope:eqversion:2.3.16

Trust: 0.9

vendor:apachemodel:strutsscope:eqversion:2.3.15.3

Trust: 0.9

vendor:apachemodel:strutsscope:eqversion:2.3.15.2

Trust: 0.9

vendor:apachemodel:strutsscope:eqversion:2.3.15.1

Trust: 0.9

vendor:ibmmodel:connectionsscope:lteversion:3.0.1.1

Trust: 0.8

vendor:oraclemodel:mysqlscope:lteversion:enterprise monitor 2.3.16

Trust: 0.8

vendor:oraclemodel:mysqlscope:lteversion:enterprise monitor 3.0.10

Trust: 0.8

vendor:necmodel:esmpro/servermanagerscope:lteversion:ver5.75

Trust: 0.8

vendor:necmodel:infocagescope:eqversion:pc security

Trust: 0.8

vendor:necmodel:infocagescope:eqversion:security risk management v1.0.0 to v2.1.3

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:enterprise edition v5.1 to v5.2

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:enterprise edition v6.1 to v6.5

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:rfid manager enterprise v7.1

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:rfid manager lite v2.0

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:rfid manager standard v2.0

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:standard edition v5.1 to v5.2

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:standard edition v6.1 to v6.5

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:standard-j edition v5.1 to v5.2

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:standard-j edition v6.1 to v6.5

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:web edition v5.1 to v5.2

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:web edition v6.1 to v6.5

Trust: 0.8

vendor:necmodel:webotx application serverscope:eqversion:v7.1

Trust: 0.8

vendor:necmodel:webotx developerscope:eqversion:"v8.2 to v8.4 (with developers studio only )"

Trust: 0.8

vendor:necmodel:webotx developerscope:eqversion:"v9.1 to v9.2 (with developers studio only )"

Trust: 0.8

vendor:necmodel:webotx portalscope:eqversion:v8.3 to v8.4

Trust: 0.8

vendor:necmodel:webotx portalscope:eqversion:v9.1

Trust: 0.8

vendor:fujitsumodel:integrated system ha database readyscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstagescope:eqversion:business analytics modeling server

Trust: 0.8

vendor:fujitsumodel:interstagescope:eqversion:business process manager analytics

Trust: 0.8

vendor:fujitsumodel:interstagescope:eqversion:extreme transaction processing server

Trust: 0.8

vendor:fujitsumodel:interstagescope:eqversion:mobile manager

Trust: 0.8

vendor:fujitsumodel:interstage application development cycle managerscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage application framework suitescope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage application serverscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage apworksscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage business application serverscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage job workload serverscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage service integratorscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage studioscope: - version: -

Trust: 0.8

vendor:fujitsumodel:serverviewscope:eqversion:resource orchestrator

Trust: 0.8

vendor:fujitsumodel:symfowarescope:eqversion:analytics server

Trust: 0.8

vendor:fujitsumodel:symfowarescope:eqversion:server

Trust: 0.8

vendor:fujitsumodel:systemwalker service catalog managerscope: - version: -

Trust: 0.8

vendor:fujitsumodel:systemwalker service quality coordinatorscope: - version: -

Trust: 0.8

vendor:fujitsumodel:systemwalker software configuration managerscope: - version: -

Trust: 0.8

vendor:fujitsumodel:triolescope:eqversion:cloud middle set b set

Trust: 0.8

vendor:fujitsumodel:cloud infrastructure management softwarescope: - version: -

Trust: 0.8

vendor:apachemodel:strutsscope:eqversion:2.3.4.1

Trust: 0.6

vendor:apachemodel:strutsscope:eqversion:2.3.3

Trust: 0.6

vendor:skavanaghmodel:keyboxscope:eqversion:2.10.02

Trust: 0.3

vendor:skavanaghmodel:ec2boxscope:eqversion:0.11.01

Trust: 0.3

vendor:oraclemodel:mysql enterprise monitorscope:eqversion:3.0.10

Trust: 0.3

vendor:oraclemodel:mysql enterprise monitorscope:eqversion:2.3.16

Trust: 0.3

vendor:oraclemodel:mysql enterprise monitorscope:eqversion:2.3.15

Trust: 0.3

vendor:oraclemodel:mysql enterprise monitorscope:eqversion:2.3.14

Trust: 0.3

vendor:oraclemodel:mysql enterprise monitorscope:eqversion:2.3.13

Trust: 0.3

vendor:oraclemodel:mysql enterprise monitorscope:eqversion:3.0

Trust: 0.3

vendor:oraclemodel:mysql enterprise monitorscope:eqversion:2.3

Trust: 0.3

vendor:ibmmodel:sterling web channelscope:eqversion:9.1

Trust: 0.3

vendor:ibmmodel:sterling web channelscope:eqversion:9.0

Trust: 0.3

vendor:ibmmodel:sterling selling and fulfillment foundationscope:eqversion:9.2.1

Trust: 0.3

vendor:ibmmodel:sterling selling and fulfillment foundationscope:eqversion:9.2

Trust: 0.3

vendor:ibmmodel:sterling selling and fulfillment foundationscope:eqversion:9.1

Trust: 0.3

vendor:ibmmodel:sterling selling and fulfillment foundationscope:eqversion:9.0

Trust: 0.3

vendor:ibmmodel:sterling order managementscope:eqversion:8.5

Trust: 0.3

vendor:ibmmodel:sterling field salesscope:eqversion:9.2.1

Trust: 0.3

vendor:ibmmodel:sterling field salesscope:eqversion:9.2.0

Trust: 0.3

vendor:ibmmodel:sterling field salesscope:eqversion:9.1.0

Trust: 0.3

vendor:ibmmodel:sterling field salesscope:eqversion:9.0

Trust: 0.3

vendor:ibmmodel:platform symphonyscope:eqversion:6.1.1

Trust: 0.3

vendor:ibmmodel:platform symphonyscope:eqversion:6.1

Trust: 0.3

vendor:ibmmodel:platform symphonyscope:eqversion:5.2

Trust: 0.3

vendor:ibmmodel:platform hpcscope:eqversion:4.1.1

Trust: 0.3

vendor:ibmmodel:platform hpcscope:eqversion:4.1

Trust: 0.3

vendor:ibmmodel:platform hpcscope:eqversion:3.2

Trust: 0.3

vendor:ibmmodel:platform cluster managerscope:eqversion:4.1.1

Trust: 0.3

vendor:ibmmodel:platform cluster managerscope:eqversion:4.1

Trust: 0.3

vendor:ibmmodel:platform cluster managerscope:eqversion:3.2

Trust: 0.3

vendor:ibmmodel:platform application centerscope:eqversion:9.1.2

Trust: 0.3

vendor:ibmmodel:platform application centerscope:eqversion:9.1.1

Trust: 0.3

vendor:ibmmodel:platform application centerscope:eqversion:9.1

Trust: 0.3

vendor:ibmmodel:platform application centerscope:eqversion:8.3

Trust: 0.3

vendor:ibmmodel:connectionsscope:eqversion:3.00

Trust: 0.3

vendor:ibmmodel:connectionsscope:eqversion:2.0.10

Trust: 0.3

vendor:ibmmodel:connectionsscope:eqversion:3.0.1.1

Trust: 0.3

vendor:ibmmodel:connectionsscope:eqversion:3.0.1.0

Trust: 0.3

vendor:ibmmodel:connectionsscope:eqversion:3.0.1

Trust: 0.3

vendor:ibmmodel:connectionsscope:eqversion:3.0

Trust: 0.3

vendor:ibmmodel:connectionsscope:eqversion:2.5.0.3

Trust: 0.3

vendor:ibmmodel:connectionsscope:eqversion:2.5.0.2

Trust: 0.3

vendor:ibmmodel:connectionsscope:eqversion:2.5.0.1

Trust: 0.3

vendor:ibmmodel:connectionsscope:eqversion:2.5.0.0

Trust: 0.3

vendor:ibmmodel:connectionsscope:eqversion:2.0.1.1

Trust: 0.3

vendor:ibmmodel:connectionsscope:eqversion:2.0.0.0

Trust: 0.3

vendor:arubanetworksmodel:clearpassscope:eqversion:6.0.2

Trust: 0.3

vendor:arubanetworksmodel:clearpassscope:eqversion:6.0.1

Trust: 0.3

vendor:arubanetworksmodel:clearpassscope:eqversion:6.3.0

Trust: 0.3

vendor:arubanetworksmodel:clearpassscope:eqversion:6.2.0

Trust: 0.3

vendor:arubanetworksmodel:clearpassscope:eqversion:6.1.3

Trust: 0.3

vendor:arubanetworksmodel:clearpassscope:eqversion:6.1.0

Trust: 0.3

vendor:arubanetworksmodel:clearpassscope:eqversion:5.0

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.3.41

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.2.3

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.2

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.1.8

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.1.6

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.1.5

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.1.2

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.1.1

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.1

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.0.14

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.0.12

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.0.11

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.0.10

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.0.9

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.0.8

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.0.7

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.0.6

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.0.5

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.0.4

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.0.3

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.0.2

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.0.1

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.0

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.3.15

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.3.14.3

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.3.14.2

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.3.14.1

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.3.14

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.3.1.2

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.3.1.1

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.3.1

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.2.3.1

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.1.4

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.1.3

Trust: 0.3

vendor:apachemodel:strutsscope:eqversion:2.0.13

Trust: 0.3

vendor:skavanaghmodel:keyboxscope:neversion:2.10.03

Trust: 0.3

vendor:skavanaghmodel:ec2boxscope:neversion:0.11.02

Trust: 0.3

vendor:arubanetworksmodel:clearpassscope:neversion:6.3.2

Trust: 0.3

vendor:arubanetworksmodel:clearpassscope:neversion:6.2.6

Trust: 0.3

vendor:arubanetworksmodel:clearpassscope:neversion:6.1.4

Trust: 0.3

vendor:apachemodel:strutsscope:neversion:2.3.16.2

Trust: 0.3

sources: BID: 67081 // JVNDB: JVNDB-2014-002269 // CNNVD: CNNVD-201404-570 // NVD: CVE-2014-0113

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-0113
value: HIGH

Trust: 1.0

NVD: CVE-2014-0113
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201404-570
value: HIGH

Trust: 0.6

VULMON: CVE-2014-0113
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2014-0113
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

sources: VULMON: CVE-2014-0113 // JVNDB: JVNDB-2014-002269 // CNNVD: CNNVD-201404-570 // NVD: CVE-2014-0113

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.8

sources: JVNDB: JVNDB-2014-002269 // NVD: CVE-2014-0113

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201404-570

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201404-570

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-002269

EXPLOIT AVAILABILITY

sources: VULMON: CVE-2014-0113

PATCH

title:Security Bulletins S2-021url:https://cwiki.apache.org/confluence/display/WW/S2-021

Trust: 0.8

title:Download a Release of Apache Struts -- Full Releases Struts 2.3.16.2url:http://struts.apache.org/download.cgi#struts23162

Trust: 0.8

title:1680848url:http://www-01.ibm.com/support/docview.wss?uid=swg21680848

Trust: 0.8

title:1681190url:http://www-01.ibm.com/support/docview.wss?uid=swg21681190

Trust: 0.8

title:NV15-001url:http://jpn.nec.com/security-info/secinfo/nv15-001.html

Trust: 0.8

title:Text Form of Oracle Critical Patch Update - April 2015 Risk Matricesurl:http://www.oracle.com/technetwork/topics/security/cpuapr2015verbose-2365613.html

Trust: 0.8

title:Oracle Critical Patch Update Advisory - April 2015url:http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

Trust: 0.8

title:April 2015 Critical Patch Update Releasedurl:https://blogs.oracle.com/security/entry/april_2015_critical_patch_update

Trust: 0.8

title:CVE-2014-0094 他 に関する影響url:http://software.fujitsu.com/jp/security/vulnerabilities/cve2014-0094-0114.html

Trust: 0.8

title:Symfoware Server(Openインタフェース): Strutsの脆弱性(CVE-2014-0094, CVE-2014-0112, CVE-2014-0113, CVE-2014-0116) (2014年6月2日)url:http://software.fujitsu.com/jp/security/products-fujitsu/solution/symfoware_201402.html

Trust: 0.8

title:FUJITSU Integrated System HA Database Ready: Struts2の脆弱性(CVE-2014-0094,CVE-2014-0112,CVE-2014-0113,CVE-2014-0116) (2014年6月19日)url:http://software.fujitsu.com/jp/security/products-fujitsu/solution/ha_db_ready_201401.html

Trust: 0.8

title:struts-2.3.16.2-allurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49668

Trust: 0.6

title:Red Hat: CVE-2014-0113url:https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2014-0113

Trust: 0.1

title:Oracle: Oracle Critical Patch Update Advisory - April 2015url:https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=4b527561ba1a5de7a529c8a93679f585

Trust: 0.1

title:-maven-security-versionsurl:https://github.com/nagauker/-maven-security-versions

Trust: 0.1

title:maven-security-versions-Travisurl:https://github.com/klee94/maven-security-versions-Travis

Trust: 0.1

title:maven-security-versionsurl:https://github.com/victims/maven-security-versions

Trust: 0.1

title:victimsurl:https://github.com/tmpgit3000/victims

Trust: 0.1

title:victimsurl:https://github.com/alexsh88/victims

Trust: 0.1

sources: VULMON: CVE-2014-0113 // JVNDB: JVNDB-2014-002269 // CNNVD: CNNVD-201404-570

EXTERNAL IDS

db:NVDid:CVE-2014-0113

Trust: 2.8

db:SECUNIAid:59178

Trust: 1.7

db:JVNDBid:JVNDB-2014-002269

Trust: 0.8

db:CNNVDid:CNNVD-201404-570

Trust: 0.6

db:BIDid:67081

Trust: 0.3

db:EXPLOITDBid:33142

Trust: 0.1

db:VULMONid:CVE-2014-0113

Trust: 0.1

sources: VULMON: CVE-2014-0113 // BID: 67081 // JVNDB: JVNDB-2014-002269 // CNNVD: CNNVD-201404-570 // NVD: CVE-2014-0113

REFERENCES

url:http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

Trust: 2.0

url:http://www-01.ibm.com/support/docview.wss?uid=swg21676706

Trust: 2.0

url:https://cwiki.apache.org/confluence/display/ww/s2-021

Trust: 1.7

url:http://secunia.com/advisories/59178

Trust: 1.7

url:http://www.securityfocus.com/archive/1/531952/100/0/threaded

Trust: 1.7

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0113

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-0113

Trust: 0.8

url:http://www.arubanetworks.com/support/alerts/aid-051414.asc

Trust: 0.3

url:https://github.com/skavanagh/ec2box/releases/tag/v0.11.02

Trust: 0.3

url:https://github.com/skavanagh/keybox/releases/tag/v2.10.03

Trust: 0.3

url:http://struts.apache.org/

Trust: 0.3

url:https://www-304.ibm.com/support/docview.wss?uid=swg21680848

Trust: 0.3

url:https://www-304.ibm.com/support/docview.wss?uid=isg3t1020896

Trust: 0.3

url:https://www-304.ibm.com/support/docview.wss?uid=isg3t1020893

Trust: 0.3

url:http://struts.apache.org/development/2.x/docs/s2-021.html

Trust: 0.3

url:https://www-304.ibm.com/support/docview.wss?uid=isg3t1020894

Trust: 0.3

url:https://www-304.ibm.com/support/docview.wss?uid=isg3t1020895

Trust: 0.3

url:https://cwe.mitre.org/data/definitions/264.html

Trust: 0.1

url:http://tools.cisco.com/security/center/viewalert.x?alertid=33975

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://github.com/victims/maven-security-versions

Trust: 0.1

url:https://www.exploit-db.com/exploits/33142/

Trust: 0.1

sources: VULMON: CVE-2014-0113 // BID: 67081 // JVNDB: JVNDB-2014-002269 // CNNVD: CNNVD-201404-570 // NVD: CVE-2014-0113

CREDITS

Taki Uchiyama, Takeshi Terada, Takayoshi Isayama, Yoshiyuki Karezaki, BAKA/ty, Shine, NSFOCUS Security Team and heige.

Trust: 0.3

sources: BID: 67081

SOURCES

db:VULMONid:CVE-2014-0113
db:BIDid:67081
db:JVNDBid:JVNDB-2014-002269
db:CNNVDid:CNNVD-201404-570
db:NVDid:CVE-2014-0113

LAST UPDATE DATE

2024-08-14T12:45:24.515000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2014-0113date:2019-08-12T00:00:00
db:BIDid:67081date:2015-05-07T17:38:00
db:JVNDBid:JVNDB-2014-002269date:2016-08-02T00:00:00
db:CNNVDid:CNNVD-201404-570date:2019-08-15T00:00:00
db:NVDid:CVE-2014-0113date:2019-08-12T21:15:12.563

SOURCES RELEASE DATE

db:VULMONid:CVE-2014-0113date:2014-04-29T00:00:00
db:BIDid:67081date:2014-04-28T00:00:00
db:JVNDBid:JVNDB-2014-002269date:2014-04-30T00:00:00
db:CNNVDid:CNNVD-201404-570date:2014-04-30T00:00:00
db:NVDid:CVE-2014-0113date:2014-04-29T10:37:03.700