what you don't know can hurt you
Showing 1 - 18 of 18 RSS Feed

CVE-2014-0114

Status Candidate

Overview

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Related Files

Red Hat Security Advisory 2019-2995-01
Posted Oct 10, 2019
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2019-2995-01 - AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. This release of Red Hat A-MQ Broker 7.5.0 serves as a replacement for Red Hat A-MQ Broker 7.4.1, and includes security and bug fixes, and enhancements. A Class Loader manipulation vulnerability was addressed.

tags | advisory, protocol
systems | linux, redhat
advisories | CVE-2014-0114
MD5 | b2bf57a727878f0139d1327d46e1fa20
Red Hat Security Advisory 2018-2669-01
Posted Sep 11, 2018
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2018-2669-01 - Red Hat Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. This release of Red Hat Fuse 7.1 serves as a replacement for Red Hat Fuse 7.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution, cross site scripting, denial of service, path sanitization, and traversal vulnerabilities.

tags | advisory, denial of service, vulnerability, code execution, xss
systems | linux, redhat
advisories | CVE-2014-0114, CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000340, CVE-2016-1000341, CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000345, CVE-2016-1000346, CVE-2016-1000352, CVE-2016-5397, CVE-2017-14063, CVE-2018-1000129, CVE-2018-1000130, CVE-2018-1000180, CVE-2018-1114, CVE-2018-1271, CVE-2018-1272, CVE-2018-1338, CVE-2018-1339, CVE-2018-8036, CVE-2018-8088
MD5 | e2467e2f9a34b5dd740776d2a5621843
OSCAR EMR 15.21beta361 XSS / Disclosure / CSRF / Insecure Direct Object Reference
Posted Aug 23, 2018
Authored by Brian D. Hysell

OSCAR EMR version 15.21beta361 suffers from remote code execution, cross site request forgery, cross site scripting, denial of service, deserialization, remote SQL injection, and path traversal vulnerabilities.

tags | exploit, remote, denial of service, vulnerability, code execution, xss, sql injection, csrf
advisories | CVE-2014-0114
MD5 | 6823c6acccafa60cd8d4e4359d2ae81f
HP Security Bulletin HPSBGN03669 1
Posted Nov 15, 2016
Authored by HP | Site hp.com

HP Security Bulletin HPSBGN03669 1 - Potential vulnerabilities have been identified in HPE SiteScope. The vulnerabilities could be exploited to allow local elevation of privilege and exploited remotely to allow denial of service, arbitrary code execution, cross-site request forgery. Revision 1 of this advisory.

tags | advisory, denial of service, arbitrary, local, vulnerability, code execution, csrf
advisories | CVE-2013-6429, CVE-2014-0050, CVE-2014-0107, CVE-2014-0114, CVE-2015-3253, CVE-2015-5652, CVE-2016-0763
MD5 | 9c99b97a183917775b0c0418b4194854
Gentoo Linux Security Advisory 201607-09
Posted Jul 20, 2016
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201607-9 - Apache Commons BeanUtils does not properly suppress the class property, which could lead to the remote execution of arbitrary code. Versions below 1.9.2 are affected.

tags | advisory, remote, arbitrary
systems | linux, gentoo
advisories | CVE-2014-0114
MD5 | bbb4bb90d2d69cabe7c640caf3a230f7
HP Security Bulletin HPSBST03160
Posted Oct 28, 2014
Authored by HP | Site hp.com

HP Security Bulletin HPSBST03160 - A potential security vulnerability has been identified with HP XP Command View Advanced Edition running Apache Struts. Revision 1 of this advisory.

tags | advisory
advisories | CVE-2014-0114
MD5 | 9b395dbdfb2853bc1226c83291fe27ca
VMware Security Advisory 2014-0008
Posted Sep 11, 2014
Authored by VMware | Site vmware.com

VMware Security Advisory 2014-0008 - VMware has updated vSphere third party libraries.

tags | advisory
advisories | CVE-2013-0242, CVE-2013-1914, CVE-2013-4322, CVE-2013-4590, CVE-2014-0050, CVE-2014-0114
MD5 | 39eac37f6e1dbb57e7d35ab3c27198e6
Debian Security Advisory 2940-1
Posted Aug 21, 2014
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2940-1 - It was discovered that missing access checks in the Struts ActionForm object could result in the execution of arbitrary code.

tags | advisory, arbitrary
systems | linux, debian
advisories | CVE-2014-0114
MD5 | 39cdf20b0014b76773979dfc0b02fa5e
HP Security Bulletin HPSBMU03090
Posted Aug 14, 2014
Authored by HP | Site hp.com

HP Security Bulletin HPSBMU03090 - A potential security vulnerability has been identified with HP SiteScope. The vulnerability could be exploited remotely to allow execution of arbitrary code. Revision 1 of this advisory.

tags | advisory, arbitrary
advisories | CVE-2014-0114
MD5 | c4057723abd0e04888781cbccb2b4aaf
HP Security Bulletin HPSBGN03041
Posted May 27, 2014
Authored by HP | Site hp.com

HP Security Bulletin HPSBGN03041 - A potential security vulnerability has been identified with HP IceWall Configuration Manager running Apache Struts. The vulnerability could be exploited remotely resulting in execution of arbitrary code. Revision 1 of this advisory.

tags | advisory, arbitrary
advisories | CVE-2014-0114
MD5 | fb4150bd6e2c01119b9f0f2ebe49e6a0
Mandriva Linux Security Advisory 2014-095
Posted May 19, 2014
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2014-095 - It was found that the Struts 1 ActionForm object allowed access to the 'class' parameter, which is directly mapped to the getClass() method. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running Struts 1. This could lead to remote code execution under certain conditions.

tags | advisory, remote, code execution
systems | linux, mandriva
advisories | CVE-2014-0114
MD5 | 4205d082436cdc97e0ada92408be1dfb
Red Hat Security Advisory 2014-0511-01
Posted May 15, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0511-01 - Red Hat JBoss Operations Network is a middleware management solution that provides a single point of control to deploy, manage, and monitor JBoss Enterprise Middleware, applications, and services. Apache Struts is a framework for building web applications with Java. It was found that the Struts 1 ActionForm object allowed access to the 'class' parameter, which is directly mapped to the getClass() method. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running Struts 1. This could lead to remote code execution under certain conditions.

tags | advisory, java, remote, web, code execution
systems | linux, redhat
advisories | CVE-2013-4286, CVE-2014-0114
MD5 | 0d3db40019777908c611112e3561a69a
Red Hat Security Advisory 2014-0500-01
Posted May 14, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0500-01 - Red Hat Satellite is a systems management tool for Linux-based infrastructures. It allows for provisioning, monitoring, and remote management of multiple Linux deployments with a single, centralized tool. Apache Struts is a framework for building web applications with Java. It was found that the Struts 1 ActionForm object allowed access to the 'class' parameter, which is directly mapped to the getClass() method. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running Struts 1. This could lead to remote code execution under certain conditions.

tags | advisory, java, remote, web, code execution
systems | linux, redhat
advisories | CVE-2014-0114
MD5 | 046d6be5d5ced0953d815ee6eefa443e
Red Hat Security Advisory 2014-0498-01
Posted May 14, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0498-01 - Fuse ESB Enterprise is an integration platform based on Apache ServiceMix. It was found that the Struts 1 ActionForm object allowed access to the 'class' parameter, which is directly mapped to the getClass() method. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running Struts 1. This could lead to remote code execution under certain conditions.

tags | advisory, remote, code execution
systems | linux, redhat
advisories | CVE-2014-0114
MD5 | 88dc2f3e41de030610a87c412e2602c9
Red Hat Security Advisory 2014-0497-01
Posted May 14, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0497-01 - Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. It was found that the Struts 1 ActionForm object allowed access to the 'class' parameter, which is directly mapped to the getClass() method. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running Struts 1. This could lead to remote code execution under certain conditions.

tags | advisory, remote, code execution
systems | linux, redhat
advisories | CVE-2014-0114
MD5 | ab022dff15de3cf47d3c6e94c3aaa24b
Red Hat Security Advisory 2014-0474-01
Posted May 7, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0474-01 - Apache Struts is a framework for building web applications with Java. It was found that the Struts 1 ActionForm object allowed access to the 'class' parameter, which is directly mapped to the getClass() method. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running Struts 1. This could lead to remote code execution under certain conditions. All struts users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using struts must be restarted for this update to take effect.

tags | advisory, java, remote, web, code execution
systems | linux, redhat
advisories | CVE-2014-0114
MD5 | 0d9c56e31b76c78781e0212da36dd794
Struts 1 ClassLoader Manipulation Update
Posted May 3, 2014
Authored by Rene Gielen | Site struts.apache.org

Apache Struts 1, now EOL'ed a year ago, suffers from a ClassLoader manipulation vulnerability similar to recent findings. Alvaro Munoz and the HP Fortify team have helped the Struts team come up with a recommendation for mitigation.

tags | advisory
advisories | CVE-2014-0114
MD5 | 098fddae80e8cfb5eb78704c5ed8abfa
Struts 1 ClassLoader Manipulation
Posted Apr 29, 2014
Authored by Rene Gielen | Site struts.apache.org

Apache Struts 1, now EOL'ed a year ago, suffers from a ClassLoader manipulation vulnerability similar to recent findings.

tags | advisory
advisories | CVE-2014-0114
MD5 | 51bfefc7623fa8972b16f2416ca2ad29
Page 1 of 1
Back1Next

File Archive:

November 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    28 Files
  • 2
    Nov 2nd
    1 Files
  • 3
    Nov 3rd
    1 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    19 Files
  • 6
    Nov 6th
    65 Files
  • 7
    Nov 7th
    22 Files
  • 8
    Nov 8th
    18 Files
  • 9
    Nov 9th
    1 Files
  • 10
    Nov 10th
    1 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    65 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close