Vulnerability Note VU#719225
Apache Struts2 ClassLoader allows access to class properties via request parameters
Apache Struts2 18.104.22.168 and earlier contain a vulnerability where the ClassLoader allows access to class properties via request parameters
Apache Struts2 22.214.171.124 and earlier contain a vulnerability where the ClassLoader allows access to class properties via request parameters. This vulnerability was previously attempted to be addressed in S2-020 ClassLoader manipulation via request parameters. Unfortunately, the correction wasn't sufficient.
Struts2 provides a mapping between Web parameters and Java methods. So an attacker could invoke a specific method on a remote Java server by specifying it in a URL. All Java objects have a getClass() method, which returns the object's Class (this object represents classes). Every Class has a ClassLoader, which is the class that loaded the initial class; an attacker could access the ClassLoader using the Class.getClassLoader() method.
An unauthenticated attacker could manipulate the ClassLoader into disclosing private Class information or possibly load a malicious class file.
The vendor has stated the following workaround:
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Apache Struts||Affected||-||25 Apr 2014|
CVSS Metrics (Learn More)
This vulnerability was publicly reported by Apache Struts2.
This document was written by Michael Orlando and David Svoboda.
- CVE IDs: CVE-2014-0094
- Date Public: 24 Apr 2014
- Date First Published: 25 Apr 2014
- Date Last Updated: 24 Jul 2014
- Document Revision: 14
If you have feedback, comments, or additional information about this vulnerability, please send us email.