CVE-2014-0094

CVE Database · CVE-2014-0094

CVE-2014-0094

· N/AModified

CVSS v3.1

N/A

EPSS

99.61%

Published

Mar 11, 2014

Modified

May 6, 2026

Public PoC / Exploit (3)

All weaponized →

Exploit-DBApache Struts - ClassLoader Manipulation Remote Code Execution (Metasploit)Exploit-DBApache Struts < 1.3.10 / < 2.3.16.2 - ClassLoader Manipulation Remote Code Execution (Metasploit)TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.

Affected Products (1)

apache · struts (up to 2.3.16.1)vulnerable

References (20)

http://jvn.jp/en/jp/JVN19294237/index.html

Third Party AdvisoryVDB Entry

http://jvndb.jvn.jp/jvndb/JVNDB-2014-000045

Third Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html

Third Party AdvisoryVDB Entry

http://secunia.com/advisories/56440

Vendor Advisory

http://secunia.com/advisories/59178

Permissions Required

http://struts.apache.org/release/2.3.x/docs/s2-020.html

Vendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs