Summary: | dev-java/struts : Two Vulnerabilities (CVE-2014-{0112,0113}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | java |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/58016/ | ||
Whiteboard: | ~4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-04-28 09:21:26 UTC
CVE-2014-0113 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0113): CookieInterceptor in Apache Struts before 2.3.16.2, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094. CVE-2014-0112 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0112): ParametersInterceptor in Apache Struts before 2.3.16.2 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094. This package has been removed, along with all the struts related ebuilds. See bug 540888. The package is gone. |