CVE-2014-0114

NameCVE-2014-0114
DescriptionApache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-57-1, DSA-2940-1
NVD severityhigh
Debian Bugs745897

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
commons-beanutils (PTS)jessie1.9.2-1fixed
jessie (security)1.9.2-1+deb8u1fixed
buster, stretch1.9.3-1fixed
bullseye, sid1.9.4-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
commons-beanutilssource(unstable)1.9.2-1low
libstruts1.2-javasource(unstable)1.2.9-9745897
libstruts1.2-javasourcesqueeze1.2.9-4+deb6u1DLA-57-1
libstruts1.2-javasourcewheezy1.2.9-5+deb7u1DSA-2940-1

Notes

http://mail-archives.apache.org/mod_mbox/struts-announcements/201404.mbox/%3C535F5F52.4040108%40apache.org%3E
[wheezy] - commons-beanutils <no-dsa> (Too intrusive to backport; might break existing apps)
[squeeze] - commons-beanutils <no-dsa> (Too intrusive to backport; might break existing apps)
https://issues.apache.org/jira/browse/BEANUTILS-463

Search for package or bug name: Reporting problems