ID

VAR-201405-0502


CVE

CVE-2014-0116


TITLE

Apache Struts of CookieInterceptor In ClassLoader Vulnerability manipulated

Trust: 0.8

sources: JVNDB: JVNDB-2014-002411

DESCRIPTION

CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113. This vulnerability CVE-2014-0113 Vulnerability due to insufficient fix for.Through a crafted request by a third party, ClassLoader The " operation " And the session state may change. Apache Struts is prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. Apache Struts versions 2.0.0 through 2.3.16.2 are vulnerable

Trust: 1.98

sources: NVD: CVE-2014-0116 // JVNDB: JVNDB-2014-002411 // BID: 67218 // VULMON: CVE-2014-0116

AFFECTED PRODUCTS

vendor:apachemodel:strutsscope:eqversion:2.3.16.1

Trust: 1.6

vendor:apachemodel:strutsscope:eqversion:2.3.15.1

Trust: 1.6

vendor:apachemodel:strutsscope:eqversion:2.3.8

Trust: 1.6

vendor:apachemodel:strutsscope:eqversion:2.3.7

Trust: 1.6

vendor:apachemodel:strutsscope:eqversion:2.3.4.1

Trust: 1.6

vendor:apachemodel:strutsscope:eqversion:2.3.15.3

Trust: 1.6

vendor:apachemodel:strutsscope:eqversion:2.3.3

Trust: 1.6

vendor:apachemodel:strutsscope:eqversion:2.3.15.2

Trust: 1.6

vendor:apachemodel:strutsscope:eqversion:2.3.16.2

Trust: 1.6

vendor:apachemodel:strutsscope:eqversion:2.3.4

Trust: 1.6

vendor:apachemodel:strutsscope:eqversion:2.0.13

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.0.1

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.0.5

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.1.0

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.0.11.2

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.1.8

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.2.1

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.3.15

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.1.1

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.3.14.3

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.0.6

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.1.8.1

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.3.1

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.0.7

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.0.0

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.0.4

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.3.1.2

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.1.6

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.2.1.1

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.0.8

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.0.11.1

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.3.14

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.1.5

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.1.3

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.3.16

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.0.11

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.0.12

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.1.2

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.2.3.1

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.0.14

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.3.14.2

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.3.14.1

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.0.3

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.1.4

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.0.9

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.3.12

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.2.3

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.0.10

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.0.2

Trust: 1.0

vendor:apachemodel:strutsscope:eqversion:2.3.1.1

Trust: 1.0

vendor:necmodel:webotx portalscope:eqversion:v9.1

Trust: 0.8

vendor:necmodel:infocagescope:eqversion:security risk management v1.0.0 to v2.1.3

Trust: 0.8

vendor:fujitsumodel:serverviewscope:eqversion:resource orchestrator

Trust: 0.8

vendor:fujitsumodel:interstage service integratorscope: - version: -

Trust: 0.8

vendor:apachemodel:strutsscope:eqversion:2.3.16.3

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:web edition v5.1 to v5.2

Trust: 0.8

vendor:fujitsumodel:interstage application serverscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage apworksscope: - version: -

Trust: 0.8

vendor:ibmmodel:connectionsscope:eqversion:4.5

Trust: 0.8

vendor:fujitsumodel:systemwalker software configuration managerscope: - version: -

Trust: 0.8

vendor:necmodel:infocagescope:eqversion:pc security

Trust: 0.8

vendor:necmodel:webotx application serverscope:eqversion:v7.1

Trust: 0.8

vendor:fujitsumodel:symfowarescope:eqversion:analytics server

Trust: 0.8

vendor:fujitsumodel:interstage application framework suitescope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage application development cycle managerscope: - version: -

Trust: 0.8

vendor:apachemodel:strutsscope:ltversion:2.x

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:rfid manager lite v2.0

Trust: 0.8

vendor:fujitsumodel:interstagescope:eqversion:business analytics modeling server

Trust: 0.8

vendor:oraclemodel:mysqlscope:lteversion:enterprise monitor 3.0.10 and earlier

Trust: 0.8

vendor:necmodel:webotx portalscope:eqversion:v8.3 to v8.4

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:web edition v6.1 to v6.5

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:enterprise edition v6.1 to v6.5

Trust: 0.8

vendor:fujitsumodel:systemwalker service catalog managerscope: - version: -

Trust: 0.8

vendor:necmodel:esmpro/servermanagerscope:lteversion:ver5.75 and earlier

Trust: 0.8

vendor:fujitsumodel:cloud infrastructure management softwarescope: - version: -

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:st ard-j edition v5.1 to v5.2

Trust: 0.8

vendor:ibmmodel:connectionsscope:eqversion:4.0

Trust: 0.8

vendor:oraclemodel:mysqlscope:lteversion:enterprise monitor 2.3.16 and earlier

Trust: 0.8

vendor:fujitsumodel:interstagescope:eqversion:business process manager analytics

Trust: 0.8

vendor:fujitsumodel:integrated system ha database readyscope: - version: -

Trust: 0.8

vendor:fujitsumodel:triolescope:eqversion:cloud middle set b set

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:rfid manager st ard v2.0

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:st ard-j edition v6.1 to v6.5

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:st ard edition v6.1 to v6.5

Trust: 0.8

vendor:ibmmodel:connectionsscope:lteversion:3.0.1.1 and earlier

Trust: 0.8

vendor:fujitsumodel:interstage studioscope: - version: -

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:rfid manager enterprise v7.1

Trust: 0.8

vendor:fujitsumodel:interstagescope:eqversion:extreme transaction processing server

Trust: 0.8

vendor:fujitsumodel:interstage business application serverscope: - version: -

Trust: 0.8

vendor:ibmmodel:connectionsscope:eqversion:5.0

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:st ard edition v5.1 to v5.2

Trust: 0.8

vendor:necmodel:webotx developerscope:eqversion:"v8.2 to v8.4 (with developers studio only )"

Trust: 0.8

vendor:fujitsumodel:interstagescope:eqversion:mobile manager

Trust: 0.8

vendor:fujitsumodel:systemwalker service quality coordinatorscope: - version: -

Trust: 0.8

vendor:fujitsumodel:symfowarescope:eqversion:server

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:enterprise edition v5.1 to v5.2

Trust: 0.8

vendor:necmodel:webotx developerscope:eqversion:"v9.1 to v9.2 (with developers studio only )"

Trust: 0.8

vendor:fujitsumodel:interstage job workload serverscope: - version: -

Trust: 0.8

vendor:apachemodel:software foundation strutsscope:eqversion:2.1

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.11

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.3.1.2

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.2.11

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.7

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.1.8

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.2

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.1.4

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.3

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.6

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.5

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.14

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.2.3.1

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.9

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.8

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.1.1

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.3.1.1

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.1

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.1.3

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.1.8.1

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.4

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.1.2

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.1.5

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.12

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.1.6

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.13

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.10

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.11.2

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.0.11.1

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.2.3

Trust: 0.3

vendor:apachemodel:software foundation strutsscope:eqversion:2.2

Trust: 0.3

sources: BID: 67218 // JVNDB: JVNDB-2014-002411 // CNNVD: CNNVD-201405-150 // NVD: CVE-2014-0116

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-0116
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-0116
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201405-150
value: MEDIUM

Trust: 0.6

VULMON: CVE-2014-0116
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-0116
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

sources: VULMON: CVE-2014-0116 // JVNDB: JVNDB-2014-002411 // CNNVD: CNNVD-201405-150 // NVD: CVE-2014-0116

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.8

sources: JVNDB: JVNDB-2014-002411 // NVD: CVE-2014-0116

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201405-150

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201405-150

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-002411

PATCH

title:1680848url:http://www-01.ibm.com/support/docview.wss?uid=swg21680848

Trust: 0.8

title:1681190url:http://www-01.ibm.com/support/docview.wss?uid=swg21681190

Trust: 0.8

title:NV15-001url:http://jpn.nec.com/security-info/secinfo/nv15-001.html

Trust: 0.8

title:Oracle Critical Patch Update Advisory - April 2015url:http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

Trust: 0.8

title:Text Form of Oracle Critical Patch Update - April 2015 Risk Matricesurl:http://www.oracle.com/technetwork/topics/security/cpuapr2015verbose-2365613.html

Trust: 0.8

title:Bug 1094558url:https://bugzilla.redhat.com/show_bug.cgi?id=1094558

Trust: 0.8

title:Huawei-SA-20140707-01-Struts2url:http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm

Trust: 0.8

title:April 2015 Critical Patch Update Releasedurl:https://blogs.oracle.com/security/entry/april_2015_critical_patch_update

Trust: 0.8

title:S2-022url:http://struts.apache.org/release/2.3.x/docs/s2-022.html

Trust: 0.8

title:CVE-2014-0094 他 に関する影響url:http://software.fujitsu.com/jp/security/vulnerabilities/cve2014-0094-0114.html

Trust: 0.8

title:Symfoware Server(Openインタフェース): Strutsの脆弱性(CVE-2014-0094, CVE-2014-0112, CVE-2014-0113, CVE-2014-0116) (2014年6月2日)url:http://software.fujitsu.com/jp/security/products-fujitsu/solution/symfoware_201402.html

Trust: 0.8

title:FUJITSU Integrated System HA Database Ready: Struts2の脆弱性(CVE-2014-0094,CVE-2014-0112,CVE-2014-0113,CVE-2014-0116) (2014年6月19日)url:http://software.fujitsu.com/jp/security/products-fujitsu/solution/ha_db_ready_201401.html

Trust: 0.8

title:Red Hat: CVE-2014-0116url:https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2014-0116

Trust: 0.1

title:Oracle: Oracle Critical Patch Update Advisory - April 2015url:https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=4b527561ba1a5de7a529c8a93679f585

Trust: 0.1

title:-maven-security-versionsurl:https://github.com/nagauker/-maven-security-versions

Trust: 0.1

title:maven-security-versions-Travisurl:https://github.com/klee94/maven-security-versions-Travis

Trust: 0.1

title:maven-security-versionsurl:https://github.com/victims/maven-security-versions

Trust: 0.1

title:victimsurl:https://github.com/tmpgit3000/victims

Trust: 0.1

title:victimsurl:https://github.com/alexsh88/victims

Trust: 0.1

sources: VULMON: CVE-2014-0116 // JVNDB: JVNDB-2014-002411

EXTERNAL IDS

db:NVDid:CVE-2014-0116

Trust: 2.8

db:BIDid:67218

Trust: 2.0

db:SECUNIAid:59816

Trust: 1.7

db:JVNDBid:JVNDB-2014-002411

Trust: 0.8

db:CNNVDid:CNNVD-201405-150

Trust: 0.6

db:VULMONid:CVE-2014-0116

Trust: 0.1

sources: VULMON: CVE-2014-0116 // BID: 67218 // JVNDB: JVNDB-2014-002411 // CNNVD: CNNVD-201405-150 // NVD: CVE-2014-0116

REFERENCES

url:http://struts.apache.org/release/2.3.x/docs/s2-022.html

Trust: 1.7

url:http://www.securityfocus.com/bid/67218

Trust: 1.7

url:http://secunia.com/advisories/59816

Trust: 1.7

url:http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm

Trust: 1.7

url:http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

Trust: 1.7

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0116

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-0116

Trust: 0.8

url:http://struts.apache.org/

Trust: 0.3

url:https://cwe.mitre.org/data/definitions/264.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:http://tools.cisco.com/security/center/viewalert.x?alertid=34163

Trust: 0.1

url:https://github.com/victims/maven-security-versions

Trust: 0.1

sources: VULMON: CVE-2014-0116 // BID: 67218 // JVNDB: JVNDB-2014-002411 // CNNVD: CNNVD-201405-150 // NVD: CVE-2014-0116

CREDITS

Zubair Ashraf of IBM X-Force

Trust: 0.3

sources: BID: 67218

SOURCES

db:VULMONid:CVE-2014-0116
db:BIDid:67218
db:JVNDBid:JVNDB-2014-002411
db:CNNVDid:CNNVD-201405-150
db:NVDid:CVE-2014-0116

LAST UPDATE DATE

2024-08-14T15:13:55.654000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2014-0116date:2019-08-12T00:00:00
db:BIDid:67218date:2015-04-16T18:14:00
db:JVNDBid:JVNDB-2014-002411date:2016-08-02T00:00:00
db:CNNVDid:CNNVD-201405-150date:2019-08-15T00:00:00
db:NVDid:CVE-2014-0116date:2019-08-12T21:15:12.703

SOURCES RELEASE DATE

db:VULMONid:CVE-2014-0116date:2014-05-08T00:00:00
db:BIDid:67218date:2014-05-06T00:00:00
db:JVNDBid:JVNDB-2014-002411date:2014-05-09T00:00:00
db:CNNVDid:CNNVD-201405-150date:2014-05-09T00:00:00
db:NVDid:CVE-2014-0116date:2014-05-08T10:55:02.967