CVE-2014-0114

NameCVE-2014-0114
DescriptionApache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-57-1, DSA-2940-1
NVD severityhigh (attack range: remote)
Debian Bugs745897

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
commons-beanutils (PTS)wheezy1.8.3-3vulnerable
jessie1.9.2-1fixed
buster, sid, stretch1.9.3-1fixed
libstruts1.2-java (PTS)wheezy, wheezy (security)1.2.9-5+deb7u2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
commons-beanutilssource(unstable)1.9.2-1low
libstruts1.2-javasource(unstable)1.2.9-9high745897
libstruts1.2-javasourcesqueeze1.2.9-4+deb6u1highDLA-57-1
libstruts1.2-javasourcewheezy1.2.9-5+deb7u1highDSA-2940-1

Notes

http://mail-archives.apache.org/mod_mbox/struts-announcements/201404.mbox/%3C535F5F52.4040108%40apache.org%3E
[wheezy] - commons-beanutils <no-dsa> (Too intrusive to backport; might break existing apps)
[squeeze] - commons-beanutils <no-dsa> (Too intrusive to backport; might break existing apps)
https://issues.apache.org/jira/browse/BEANUTILS-463

Search for package or bug name: Reporting problems