Details of VAR-201405-0502

ID

VAR-201405-0502

CVE

CVE-2014-0116

TITLE

Apache Struts of CookieInterceptor In ClassLoader Vulnerability manipulated

Trust: 0.8

sources: JVNDB: JVNDB-2014-002411

DESCRIPTION

CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113. This vulnerability CVE-2014-0113 Vulnerability due to insufficient fix for.Through a crafted request by a third party, ClassLoader The " operation " And the session state may change. Apache Struts is prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. Apache Struts versions 2.0.0 through 2.3.16.2 are vulnerable

Trust: 1.98

sources: NVD: CVE-2014-0116 // JVNDB: JVNDB-2014-002411 // BID: 67218 // VULMON: CVE-2014-0116

AFFECTED PRODUCTS

vendor:	apache	model:	struts	scope:	eq	version:	2.3.16.1	Trust: 1.6
vendor:	apache	model:	struts	scope:	eq	version:	2.3.15.1	Trust: 1.6
vendor:	apache	model:	struts	scope:	eq	version:	2.3.8	Trust: 1.6
vendor:	apache	model:	struts	scope:	eq	version:	2.3.7	Trust: 1.6
vendor:	apache	model:	struts	scope:	eq	version:	2.3.4.1	Trust: 1.6
vendor:	apache	model:	struts	scope:	eq	version:	2.3.15.3	Trust: 1.6
vendor:	apache	model:	struts	scope:	eq	version:	2.3.3	Trust: 1.6
vendor:	apache	model:	struts	scope:	eq	version:	2.3.15.2	Trust: 1.6
vendor:	apache	model:	struts	scope:	eq	version:	2.3.16.2	Trust: 1.6
vendor:	apache	model:	struts	scope:	eq	version:	2.3.4	Trust: 1.6
vendor:	apache	model:	struts	scope:	eq	version:	2.0.13	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.0.1	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.0.5	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.1.0	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.0.11.2	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.1.8	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.2.1	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.3.15	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.1.1	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.3.14.3	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.0.6	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.1.8.1	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.3.1	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.0.7	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.0.0	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.0.4	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.3.1.2	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.1.6	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.2.1.1	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.0.8	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.0.11.1	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.3.14	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.1.5	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.1.3	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.3.16	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.0.11	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.0.12	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.1.2	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.2.3.1	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.0.14	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.3.14.2	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.3.14.1	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.0.3	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.1.4	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.0.9	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.3.12	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.2.3	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.0.10	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.0.2	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.3.1.1	Trust: 1.0
vendor:	nec	model:	webotx portal	scope:	eq	version:	v9.1	Trust: 0.8
vendor:	nec	model:	infocage	scope:	eq	version:	security risk management v1.0.0 to v2.1.3	Trust: 0.8
vendor:	fujitsu	model:	serverview	scope:	eq	version:	resource orchestrator	Trust: 0.8
vendor:	fujitsu	model:	interstage service integrator	scope:	-	version:	-	Trust: 0.8
vendor:	apache	model:	struts	scope:	eq	version:	2.3.16.3	Trust: 0.8
vendor:	nec	model:	webotx	scope:	eq	version:	web edition v5.1 to v5.2	Trust: 0.8
vendor:	fujitsu	model:	interstage application server	scope:	-	version:	-	Trust: 0.8
vendor:	fujitsu	model:	interstage apworks	scope:	-	version:	-	Trust: 0.8
vendor:	ibm	model:	connections	scope:	eq	version:	4.5	Trust: 0.8
vendor:	fujitsu	model:	systemwalker software configuration manager	scope:	-	version:	-	Trust: 0.8
vendor:	nec	model:	infocage	scope:	eq	version:	pc security	Trust: 0.8
vendor:	nec	model:	webotx application server	scope:	eq	version:	v7.1	Trust: 0.8
vendor:	fujitsu	model:	symfoware	scope:	eq	version:	analytics server	Trust: 0.8
vendor:	fujitsu	model:	interstage application framework suite	scope:	-	version:	-	Trust: 0.8
vendor:	fujitsu	model:	interstage application development cycle manager	scope:	-	version:	-	Trust: 0.8
vendor:	apache	model:	struts	scope:	lt	version:	2.x	Trust: 0.8
vendor:	nec	model:	webotx	scope:	eq	version:	rfid manager lite v2.0	Trust: 0.8
vendor:	fujitsu	model:	interstage	scope:	eq	version:	business analytics modeling server	Trust: 0.8
vendor:	oracle	model:	mysql	scope:	lte	version:	enterprise monitor 3.0.10 and earlier	Trust: 0.8
vendor:	nec	model:	webotx portal	scope:	eq	version:	v8.3 to v8.4	Trust: 0.8
vendor:	nec	model:	webotx	scope:	eq	version:	web edition v6.1 to v6.5	Trust: 0.8
vendor:	nec	model:	webotx	scope:	eq	version:	enterprise edition v6.1 to v6.5	Trust: 0.8
vendor:	fujitsu	model:	systemwalker service catalog manager	scope:	-	version:	-	Trust: 0.8
vendor:	nec	model:	esmpro/servermanager	scope:	lte	version:	ver5.75 and earlier	Trust: 0.8
vendor:	fujitsu	model:	cloud infrastructure management software	scope:	-	version:	-	Trust: 0.8
vendor:	nec	model:	webotx	scope:	eq	version:	st ard-j edition v5.1 to v5.2	Trust: 0.8
vendor:	ibm	model:	connections	scope:	eq	version:	4.0	Trust: 0.8
vendor:	oracle	model:	mysql	scope:	lte	version:	enterprise monitor 2.3.16 and earlier	Trust: 0.8
vendor:	fujitsu	model:	interstage	scope:	eq	version:	business process manager analytics	Trust: 0.8
vendor:	fujitsu	model:	integrated system ha database ready	scope:	-	version:	-	Trust: 0.8
vendor:	fujitsu	model:	triole	scope:	eq	version:	cloud middle set b set	Trust: 0.8
vendor:	nec	model:	webotx	scope:	eq	version:	rfid manager st ard v2.0	Trust: 0.8
vendor:	nec	model:	webotx	scope:	eq	version:	st ard-j edition v6.1 to v6.5	Trust: 0.8
vendor:	nec	model:	webotx	scope:	eq	version:	st ard edition v6.1 to v6.5	Trust: 0.8
vendor:	ibm	model:	connections	scope:	lte	version:	3.0.1.1 and earlier	Trust: 0.8
vendor:	fujitsu	model:	interstage studio	scope:	-	version:	-	Trust: 0.8
vendor:	nec	model:	webotx	scope:	eq	version:	rfid manager enterprise v7.1	Trust: 0.8
vendor:	fujitsu	model:	interstage	scope:	eq	version:	extreme transaction processing server	Trust: 0.8
vendor:	fujitsu	model:	interstage business application server	scope:	-	version:	-	Trust: 0.8
vendor:	ibm	model:	connections	scope:	eq	version:	5.0	Trust: 0.8
vendor:	nec	model:	webotx	scope:	eq	version:	st ard edition v5.1 to v5.2	Trust: 0.8
vendor:	nec	model:	webotx developer	scope:	eq	version:	"v8.2 to v8.4 (with developers studio only )"	Trust: 0.8
vendor:	fujitsu	model:	interstage	scope:	eq	version:	mobile manager	Trust: 0.8
vendor:	fujitsu	model:	systemwalker service quality coordinator	scope:	-	version:	-	Trust: 0.8
vendor:	fujitsu	model:	symfoware	scope:	eq	version:	server	Trust: 0.8
vendor:	nec	model:	webotx	scope:	eq	version:	enterprise edition v5.1 to v5.2	Trust: 0.8
vendor:	nec	model:	webotx developer	scope:	eq	version:	"v9.1 to v9.2 (with developers studio only )"	Trust: 0.8
vendor:	fujitsu	model:	interstage job workload server	scope:	-	version:	-	Trust: 0.8
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.1	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.0	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.0.11	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.3.1.2	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.2.11	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.0.7	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.1.8	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.0.2	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.1.4	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.0.3	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.0.6	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.0.5	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.0.14	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.2.3.1	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.0.9	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.0.8	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.1.1	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.3.1.1	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.0.1	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.1.3	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.1.8.1	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.0.4	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.1.2	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.1.5	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.0.12	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.1.6	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.0.13	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.0.10	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.0.11.2	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.0.11.1	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.2.3	Trust: 0.3
vendor:	apache	model:	software foundation struts	scope:	eq	version:	2.2	Trust: 0.3

sources: BID: 67218 // JVNDB: JVNDB-2014-002411 // CNNVD: CNNVD-201405-150 // NVD: CVE-2014-0116

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-0116
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-0116
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201405-150
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2014-0116
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-0116
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9

sources: VULMON: CVE-2014-0116 // JVNDB: JVNDB-2014-002411 // CNNVD: CNNVD-201405-150 // NVD: CVE-2014-0116

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.8

sources: JVNDB: JVNDB-2014-002411 // NVD: CVE-2014-0116

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201405-150

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201405-150

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-002411

PATCH

title:	1680848	url:	http://www-01.ibm.com/support/docview.wss?uid=swg21680848	Trust: 0.8
title:	1681190	url:	http://www-01.ibm.com/support/docview.wss?uid=swg21681190	Trust: 0.8
title:	NV15-001	url:	http://jpn.nec.com/security-info/secinfo/nv15-001.html	Trust: 0.8
title:	Oracle Critical Patch Update Advisory - April 2015	url:	http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html	Trust: 0.8
title:	Text Form of Oracle Critical Patch Update - April 2015 Risk Matrices	url:	http://www.oracle.com/technetwork/topics/security/cpuapr2015verbose-2365613.html	Trust: 0.8
title:	Bug 1094558	url:	https://bugzilla.redhat.com/show_bug.cgi?id=1094558	Trust: 0.8
title:	Huawei-SA-20140707-01-Struts2	url:	http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm	Trust: 0.8
title:	April 2015 Critical Patch Update Released	url:	https://blogs.oracle.com/security/entry/april_2015_critical_patch_update	Trust: 0.8
title:	S2-022	url:	http://struts.apache.org/release/2.3.x/docs/s2-022.html	Trust: 0.8
title:	CVE-2014-0094 他に関する影響	url:	http://software.fujitsu.com/jp/security/vulnerabilities/cve2014-0094-0114.html	Trust: 0.8
title:	Symfoware Server（Openインタフェース）: Strutsの脆弱性(CVE-2014-0094, CVE-2014-0112, CVE-2014-0113, CVE-2014-0116) (2014年6月2日)	url:	http://software.fujitsu.com/jp/security/products-fujitsu/solution/symfoware_201402.html	Trust: 0.8
title:	FUJITSU Integrated System HA Database Ready: Struts2の脆弱性(CVE-2014-0094,CVE-2014-0112,CVE-2014-0113,CVE-2014-0116) (2014年6月19日)	url:	http://software.fujitsu.com/jp/security/products-fujitsu/solution/ha_db_ready_201401.html	Trust: 0.8
title:	Red Hat: CVE-2014-0116	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2014-0116	Trust: 0.1
title:	Oracle: Oracle Critical Patch Update Advisory - April 2015	url:	https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=4b527561ba1a5de7a529c8a93679f585	Trust: 0.1
title:	-maven-security-versions	url:	https://github.com/nagauker/-maven-security-versions	Trust: 0.1
title:	maven-security-versions-Travis	url:	https://github.com/klee94/maven-security-versions-Travis	Trust: 0.1
title:	maven-security-versions	url:	https://github.com/victims/maven-security-versions	Trust: 0.1
title:	victims	url:	https://github.com/tmpgit3000/victims	Trust: 0.1
title:	victims	url:	https://github.com/alexsh88/victims	Trust: 0.1

sources: VULMON: CVE-2014-0116 // JVNDB: JVNDB-2014-002411

EXTERNAL IDS

db:	NVD	id:	CVE-2014-0116	Trust: 2.8
db:	BID	id:	67218	Trust: 2.0
db:	SECUNIA	id:	59816	Trust: 1.7
db:	JVNDB	id:	JVNDB-2014-002411	Trust: 0.8
db:	CNNVD	id:	CNNVD-201405-150	Trust: 0.6
db:	VULMON	id:	CVE-2014-0116	Trust: 0.1

sources: VULMON: CVE-2014-0116 // BID: 67218 // JVNDB: JVNDB-2014-002411 // CNNVD: CNNVD-201405-150 // NVD: CVE-2014-0116

REFERENCES

url:	http://struts.apache.org/release/2.3.x/docs/s2-022.html	Trust: 1.7
url:	http://www.securityfocus.com/bid/67218	Trust: 1.7
url:	http://secunia.com/advisories/59816	Trust: 1.7
url:	http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm	Trust: 1.7
url:	http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0116	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-0116	Trust: 0.8
url:	http://struts.apache.org/	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/264.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	http://tools.cisco.com/security/center/viewalert.x?alertid=34163	Trust: 0.1
url:	https://github.com/victims/maven-security-versions	Trust: 0.1

sources: VULMON: CVE-2014-0116 // BID: 67218 // JVNDB: JVNDB-2014-002411 // CNNVD: CNNVD-201405-150 // NVD: CVE-2014-0116

CREDITS

Zubair Ashraf of IBM X-Force

Trust: 0.3

sources: BID: 67218

SOURCES

db:	VULMON	id:	CVE-2014-0116
db:	BID	id:	67218
db:	JVNDB	id:	JVNDB-2014-002411
db:	CNNVD	id:	CNNVD-201405-150
db:	NVD	id:	CVE-2014-0116

LAST UPDATE DATE

2024-08-14T15:13:55.654000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2014-0116	date:	2019-08-12T00:00:00
db:	BID	id:	67218	date:	2015-04-16T18:14:00
db:	JVNDB	id:	JVNDB-2014-002411	date:	2016-08-02T00:00:00
db:	CNNVD	id:	CNNVD-201405-150	date:	2019-08-15T00:00:00
db:	NVD	id:	CVE-2014-0116	date:	2019-08-12T21:15:12.703

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2014-0116	date:	2014-05-08T00:00:00
db:	BID	id:	67218	date:	2014-05-06T00:00:00
db:	JVNDB	id:	JVNDB-2014-002411	date:	2014-05-09T00:00:00
db:	CNNVD	id:	CNNVD-201405-150	date:	2014-05-09T00:00:00
db:	NVD	id:	CVE-2014-0116	date:	2014-05-08T10:55:02.967