what you don't know can hurt you
Showing 1 - 18 of 18 RSS Feed

CVE-2014-0114

Status Candidate

Overview

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Related Files

Red Hat Security Advisory 2019-2995-01
Posted Oct 10, 2019
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2019-2995-01 - AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. This release of Red Hat A-MQ Broker 7.5.0 serves as a replacement for Red Hat A-MQ Broker 7.4.1, and includes security and bug fixes, and enhancements. A Class Loader manipulation vulnerability was addressed.

tags | advisory, protocol
systems | linux, redhat
advisories | CVE-2014-0114
SHA-256 | dd9ea47c1d0afaf31a5d352fe371b0637db5ce6186d2c3b24e0e7e14586fdfb2
Red Hat Security Advisory 2018-2669-01
Posted Sep 11, 2018
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2018-2669-01 - Red Hat Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. This release of Red Hat Fuse 7.1 serves as a replacement for Red Hat Fuse 7.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution, cross site scripting, denial of service, path sanitization, and traversal vulnerabilities.

tags | advisory, denial of service, vulnerability, code execution, xss
systems | linux, redhat
advisories | CVE-2014-0114, CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000340, CVE-2016-1000341, CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000345, CVE-2016-1000346, CVE-2016-1000352, CVE-2016-5397, CVE-2017-14063, CVE-2018-1000129, CVE-2018-1000130, CVE-2018-1000180, CVE-2018-1114, CVE-2018-1271, CVE-2018-1272, CVE-2018-1338, CVE-2018-1339, CVE-2018-8036, CVE-2018-8088
SHA-256 | 7b3635d1483cb247ae4e0a03ee8632f66f34f0c49a1302091a6f17cc60f5582a
OSCAR EMR 15.21beta361 XSS / Disclosure / CSRF / Insecure Direct Object Reference
Posted Aug 23, 2018
Authored by Brian D. Hysell

OSCAR EMR version 15.21beta361 suffers from remote code execution, cross site request forgery, cross site scripting, denial of service, deserialization, remote SQL injection, and path traversal vulnerabilities.

tags | exploit, remote, denial of service, vulnerability, code execution, xss, sql injection, csrf
advisories | CVE-2014-0114
SHA-256 | b49a30c7affbcdc3aadacdc0ecd98471127fca93159d568f99389e4095c9ecbb
HP Security Bulletin HPSBGN03669 1
Posted Nov 15, 2016
Authored by HP | Site hp.com

HP Security Bulletin HPSBGN03669 1 - Potential vulnerabilities have been identified in HPE SiteScope. The vulnerabilities could be exploited to allow local elevation of privilege and exploited remotely to allow denial of service, arbitrary code execution, cross-site request forgery. Revision 1 of this advisory.

tags | advisory, denial of service, arbitrary, local, vulnerability, code execution, csrf
advisories | CVE-2013-6429, CVE-2014-0050, CVE-2014-0107, CVE-2014-0114, CVE-2015-3253, CVE-2015-5652, CVE-2016-0763
SHA-256 | ac957c536f14c0a27badb6f04185ed0c67d4cacfcf48129853672a6a8767ef2f
Gentoo Linux Security Advisory 201607-09
Posted Jul 20, 2016
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201607-9 - Apache Commons BeanUtils does not properly suppress the class property, which could lead to the remote execution of arbitrary code. Versions below 1.9.2 are affected.

tags | advisory, remote, arbitrary
systems | linux, gentoo
advisories | CVE-2014-0114
SHA-256 | e796b79d0cecceb30859bf6409dd12a908bf0b6687463fd62c86692038a1b122
HP Security Bulletin HPSBST03160
Posted Oct 28, 2014
Authored by HP | Site hp.com

HP Security Bulletin HPSBST03160 - A potential security vulnerability has been identified with HP XP Command View Advanced Edition running Apache Struts. Revision 1 of this advisory.

tags | advisory
advisories | CVE-2014-0114
SHA-256 | 7347708214d9e40bfa1feac22c945e22da23247a26c666e8ec2f25128975846d
VMware Security Advisory 2014-0008
Posted Sep 11, 2014
Authored by VMware | Site vmware.com

VMware Security Advisory 2014-0008 - VMware has updated vSphere third party libraries.

tags | advisory
advisories | CVE-2013-0242, CVE-2013-1914, CVE-2013-4322, CVE-2013-4590, CVE-2014-0050, CVE-2014-0114
SHA-256 | 961f1fa58ab6b80903bbc3ac882d262194e375452629d457597ffbc1b2b2c93c
Debian Security Advisory 2940-1
Posted Aug 21, 2014
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2940-1 - It was discovered that missing access checks in the Struts ActionForm object could result in the execution of arbitrary code.

tags | advisory, arbitrary
systems | linux, debian
advisories | CVE-2014-0114
SHA-256 | a2c5ba27eba620d705bc979e39632bb700c5a4d3e90ae0a26a1a3d26bf11271a
HP Security Bulletin HPSBMU03090
Posted Aug 14, 2014
Authored by HP | Site hp.com

HP Security Bulletin HPSBMU03090 - A potential security vulnerability has been identified with HP SiteScope. The vulnerability could be exploited remotely to allow execution of arbitrary code. Revision 1 of this advisory.

tags | advisory, arbitrary
advisories | CVE-2014-0114
SHA-256 | 08170bb50ff7c64c4846293aaff4cec011cdc0f0d377009be496d884f440c8cf
HP Security Bulletin HPSBGN03041
Posted May 27, 2014
Authored by HP | Site hp.com

HP Security Bulletin HPSBGN03041 - A potential security vulnerability has been identified with HP IceWall Configuration Manager running Apache Struts. The vulnerability could be exploited remotely resulting in execution of arbitrary code. Revision 1 of this advisory.

tags | advisory, arbitrary
advisories | CVE-2014-0114
SHA-256 | 64795997cd5a317c0b565929f621a7404bfe676a059784dec8dc3165de9eec6b
Mandriva Linux Security Advisory 2014-095
Posted May 19, 2014
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2014-095 - It was found that the Struts 1 ActionForm object allowed access to the 'class' parameter, which is directly mapped to the getClass() method. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running Struts 1. This could lead to remote code execution under certain conditions.

tags | advisory, remote, code execution
systems | linux, mandriva
advisories | CVE-2014-0114
SHA-256 | bdda9e490d58910aa0c5c618c3765ea30a160f6fb71b2be4423f4076d612bfb3
Red Hat Security Advisory 2014-0511-01
Posted May 15, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0511-01 - Red Hat JBoss Operations Network is a middleware management solution that provides a single point of control to deploy, manage, and monitor JBoss Enterprise Middleware, applications, and services. Apache Struts is a framework for building web applications with Java. It was found that the Struts 1 ActionForm object allowed access to the 'class' parameter, which is directly mapped to the getClass() method. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running Struts 1. This could lead to remote code execution under certain conditions.

tags | advisory, java, remote, web, code execution
systems | linux, redhat
advisories | CVE-2013-4286, CVE-2014-0114
SHA-256 | 1ca60d1e65c986cd9a9a0da28640c61b3da39426145fa0d4d41a7308e48cf2da
Red Hat Security Advisory 2014-0500-01
Posted May 14, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0500-01 - Red Hat Satellite is a systems management tool for Linux-based infrastructures. It allows for provisioning, monitoring, and remote management of multiple Linux deployments with a single, centralized tool. Apache Struts is a framework for building web applications with Java. It was found that the Struts 1 ActionForm object allowed access to the 'class' parameter, which is directly mapped to the getClass() method. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running Struts 1. This could lead to remote code execution under certain conditions.

tags | advisory, java, remote, web, code execution
systems | linux, redhat
advisories | CVE-2014-0114
SHA-256 | 053eff3848e4c3323f01275daa23b1e1daef01bac18cef89f48a1661ee568d5c
Red Hat Security Advisory 2014-0498-01
Posted May 14, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0498-01 - Fuse ESB Enterprise is an integration platform based on Apache ServiceMix. It was found that the Struts 1 ActionForm object allowed access to the 'class' parameter, which is directly mapped to the getClass() method. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running Struts 1. This could lead to remote code execution under certain conditions.

tags | advisory, remote, code execution
systems | linux, redhat
advisories | CVE-2014-0114
SHA-256 | 3e5f89f145def43de588d0721a600340738c1ea9eb26430a4c4f834dd52d984f
Red Hat Security Advisory 2014-0497-01
Posted May 14, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0497-01 - Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. It was found that the Struts 1 ActionForm object allowed access to the 'class' parameter, which is directly mapped to the getClass() method. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running Struts 1. This could lead to remote code execution under certain conditions.

tags | advisory, remote, code execution
systems | linux, redhat
advisories | CVE-2014-0114
SHA-256 | 05112fa5138fd82396c980f77a6914edfd660c9bf09fec3eb3388fae84907976
Red Hat Security Advisory 2014-0474-01
Posted May 7, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0474-01 - Apache Struts is a framework for building web applications with Java. It was found that the Struts 1 ActionForm object allowed access to the 'class' parameter, which is directly mapped to the getClass() method. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running Struts 1. This could lead to remote code execution under certain conditions. All struts users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using struts must be restarted for this update to take effect.

tags | advisory, java, remote, web, code execution
systems | linux, redhat
advisories | CVE-2014-0114
SHA-256 | d012c34ca5796768ff82182aacb36f0a7e897e45e96c86d8e528eb920b2fd870
Struts 1 ClassLoader Manipulation Update
Posted May 3, 2014
Authored by Rene Gielen | Site struts.apache.org

Apache Struts 1, now EOL'ed a year ago, suffers from a ClassLoader manipulation vulnerability similar to recent findings. Alvaro Munoz and the HP Fortify team have helped the Struts team come up with a recommendation for mitigation.

tags | advisory
advisories | CVE-2014-0114
SHA-256 | f9f8a680c7342a4ec7664f0833621f029bef66354e591a521ed9ce01dd951ae2
Struts 1 ClassLoader Manipulation
Posted Apr 29, 2014
Authored by Rene Gielen | Site struts.apache.org

Apache Struts 1, now EOL'ed a year ago, suffers from a ClassLoader manipulation vulnerability similar to recent findings.

tags | advisory
advisories | CVE-2014-0114
SHA-256 | d753af8cf08ba2c2ef2788acb38ccb3268e20b5f6097e41ffbf640ac694b1f2f
Page 1 of 1
Back1Next

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close