Security Advisory

CVE-2014-0116

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2014-05-08 10:00:00

Last updated 2024-08-06 09:05:38

Assigner redhat

State PUBLISHED

Description

CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113.

← Browse all CVEs View on cve.org ↗