CVE-2014-0114

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2014-0114
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2014-04-30 10:49:00 UTC
Updated2023-02-13 00:32:00 UTC
DescriptionApache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Risk And Classification

Problem Types: CWE-20

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Apache Commons Beanutils All All All All
Application Apache Struts 1.0 All All All
Application Apache Struts 1.0.2 All All All
Application Apache Struts 1.1 All All All
Application Apache Struts 1.1 b1 All All
Application Apache Struts 1.1 b2 All All
Application Apache Struts 1.1 b3 All All
Application Apache Struts 1.1 rc1 All All
Application Apache Struts 1.1 rc2 All All
Application Apache Struts 1.2.2 All All All
Application Apache Struts 1.2.4 All All All
Application Apache Struts 1.2.6 All All All
Application Apache Struts 1.2.7 All All All
Application Apache Struts 1.2.8 All All All
Application Apache Struts 1.2.9 All All All
Application Apache Struts 1.3.10 All All All
Application Apache Struts 1.3.5 All All All
Application Apache Struts 1.3.8 All All All
Application Apache Struts 1.0 All All All
Application Apache Struts 1.0.2 All All All
Application Apache Struts 1.1 All All All
Application Apache Struts 1.1 b1 All All
Application Apache Struts 1.1 b2 All All
Application Apache Struts 1.1 b3 All All
Application Apache Struts 1.1 rc1 All All
Application Apache Struts 1.1 rc2 All All
Application Apache Struts 1.2.2 All All All
Application Apache Struts 1.2.4 All All All
Application Apache Struts 1.2.6 All All All
Application Apache Struts 1.2.7 All All All
Application Apache Struts 1.2.8 All All All
Application Apache Struts 1.2.9 All All All
Application Apache Struts 1.3.10 All All All
Application Apache Struts 1.3.5 All All All
Application Apache Struts 1.3.8 All All All

References

ReferenceSourceLinkTags
Security Advisory SA57477 - IBM Tivoli Application Dependency Discovery Manager Apache Struts ClassLoader Manipulation Vulnerability - Secunia SECUNIA secunia.com
IBM Security Bulletin: ClassLoader manipulation with Apache Struts affecting InfoSphere Identity Insight (CVE-2014-0114) - United States CONFIRM www-01.ibm.com
Pony Mail! MLIST lists.apache.org
Pony Mail! MISC lists.apache.org
Security Advisory SA60177 - HP SiteScope Apache Struts ClassLoader Manipulation Vulnerability - Secunia SECUNIA secunia.com
Pony Mail! MISC lists.apache.org
Pony Mail! MISC lists.apache.org
Pony Mail! MISC lists.apache.org
'[security bulletin] HPSBST03160 rev.1 - HP XP Command View Advanced Edition running Apache Struts, R' - MARC HP marc.info
'[security bulletin] HPSBGN03041 rev.1 - HP IceWall Configuration Manager running Apache Struts, Remo' - MARC HP marc.info
Pony Mail! MLIST lists.apache.org
Pony Mail! MLIST lists.apache.org
Pony Mail! MISC lists.apache.org
IBM Security Bulletin: ClassLoader manipulation with Apache Struts affecting IBM Records Manager, IBM Content Manager Records Enabler and WebSphere Application Server shipped with IBM Records Manager (CVE-2014-0114) - United States CONFIRM www-01.ibm.com
Pony Mail! MISC lists.apache.org
IBM Security Bulletin: ClassLoader manipulation with Apache Struts affecting IBM Tivoli Identity Manager/IBM Security Identity Manager (CVE-2014-0114) - United States CONFIRM www-01.ibm.com
Pony Mail! MLIST lists.apache.org
Pony Mail! MLIST lists.apache.org
Mageia Advisory: MGASA-2014-0219 - Updated struts packages fix CVE-2014-0114 CONFIRM advisories.mageia.org
Pony Mail! MISC lists.apache.org
Pony Mail! MLIST lists.apache.org
Pony Mail! MISC lists.apache.org
Pony Mail! MLIST lists.apache.org
Pony Mail! MLIST lists.apache.org
Pony Mail! MISC lists.apache.org
Pony Mail! MISC lists.apache.org
Does CVE-2014-0114 affect Struts 1 in Red Hat products? - Red Hat Customer Portal CONFIRM access.redhat.com
Pony Mail! MLIST lists.apache.org
Security Advisory SA59480 - IBM Content Manager Records Enabler Apache Struts ClassLoader Manipulation Vulnerability - Secunia SECUNIA secunia.com
IBM Security Bulletin: One vulnerability in IBM FileNet Content Manager, IBM Content Foundation, IBM FileNet Content Federation Services and IBM FileNet Legacy Content Search Engine (CVE-2014-0114) - United States CONFIRM www-01.ibm.com
Pony Mail! MLIST lists.apache.org
Pony Mail! MISC lists.apache.org
Pony Mail! MISC lists.apache.org
Security Advisory SA59228 - IBM InfoSphere Data Click Apache Struts ClassLoader Manipulation Vulnerability - Secunia SECUNIA secunia.com
Pony Mail! MISC lists.apache.org
Pony Mail! MISC lists.apache.org
VMSA-2014-0012 | United States CONFIRM www.vmware.com
Oracle Critical Patch Update - January 2018 CONFIRM www.oracle.com
VMSA-2014-0008.2 | United States CONFIRM www.vmware.com
[SECURITY] Fedora 20 Update: struts-1.3.10-10.fc20 FEDORA lists.fedoraproject.org
CPU July 2018 CONFIRM www.oracle.com
Pony Mail! MISC lists.apache.org
Pony Mail! MISC lists.apache.org
IBM Security Bulletin: Multiple IBM InfoSphere Information Server components are vulnerable due to ClassLoader manipulation vulnerability in Open Source Apache Struts version 1 (CVE-2014-0114) - United States CONFIRM www-01.ibm.com
Pony Mail! MLIST lists.apache.org
Pony Mail! MISC lists.apache.org
Pony Mail! MISC lists.apache.org
Pony Mail! MISC lists.apache.org
Bug 1116665 – CVE-2014-3540 commons-beanutils: 'class' property is exposed, potentially leading to RCE CONFIRM bugzilla.redhat.com
Oracle Critical Patch Update - October 2016 CONFIRM www.oracle.com
Pony Mail! MISC lists.apache.org
Pony Mail! MISC lists.apache.org
Pony Mail! MISC lists.apache.org
Pony Mail! MLIST lists.apache.org
Pony Mail! MISC lists.apache.org
Security Advisory SA59245 - IBM Security SiteProtector Two Vulnerabilities - Secunia SECUNIA secunia.com
Pony Mail! MISC lists.apache.org
'[security bulletin] HPSBMU03090 rev.1 - HP SiteScope, running Apache Struts, Remote Execution of Arb' - MARC HP marc.info
Pony Mail! MISC lists.apache.org
Pony Mail! MISC lists.apache.org
Security Advisory SA58851 - IBM Lotus Quickr for WebSphere Portal Apache Struts ClassLoader Manipulation Vulnerability - Secunia SECUNIA secunia.com
Pony Mail! MLIST lists.apache.org
Pony Mail! MLIST lists.apache.org
Security Bulletin: IBM Security SiteProtector System can be affected by a vulnerability in IBM Global Security Kit (CVE-2014-0963) and in Apache Struts V1.x (CVE-2014-0114) CONFIRM www.ibm.com
Pony Mail! MLIST lists.apache.org
Pony Mail! MLIST lists.apache.org
Pony Mail! MLIST lists.apache.org
Pony Mail! MISC lists.apache.org
Oracle Critical Patch Update - January 2015 CONFIRM www.oracle.com
Security Advisory SA59118 - IBM InfoSphere Identity Insight Apache Struts ClassLoader Manipulation Vulnerability - Secunia SECUNIA secunia.com
Apache Struts ClassLoader Manipulation CVE-2014-0114 Security Bypass Vulnerability BID www.securityfocus.com
Full Disclosure: NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities FULLDISC seclists.org
Security Advisory SA59014 - IBM Rational Change Apache Struts ClassLoader Manipulation Vulnerability - Secunia SECUNIA secunia.com
Pony Mail! MISC lists.apache.org
Pony Mail! MISC lists.apache.org
Pony Mail! MLIST lists.apache.org
Red Hat Customer Portal REDHAT access.redhat.com
Pony Mail! MLIST lists.apache.org
Document Display | HPE Support Center CONFIRM h20566.www2.hpe.com
Pony Mail! MISC lists.apache.org
Pony Mail! MISC lists.apache.org
Pony Mail! MISC lists.apache.org
Bug 1091938 – CVE-2014-0114 Apache Struts 1: Class Loader manipulation via request parameters CONFIRM bugzilla.redhat.com
April 2018 Apache Struts Vulnerabilities in NetApp Products | NetApp Product Security CONFIRM security.netapp.com
Pony Mail! MLIST lists.apache.org
Oracle Critical Patch Update - January 2019 CONFIRM www.oracle.com
commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt CONFIRM commons.apache.org
IBM Security Bulletin: ClassLoader manipulation with Apache Struts affecting Tivoli Storage Productivity Center (CVE-2014-0114) - United States CONFIRM www-01.ibm.com
IBM Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 7.0.0.33 - United States CONFIRM www-01.ibm.com
Oracle Critical Patch Update - July 2019 MISC www.oracle.com
Pony Mail! MISC lists.apache.org
IBM Security Bulletin: Open Source Apache Struts V1 ClassLoader manipulation vulnerability (CVE-2014-0114) in IBM Content Analytics with Enterprise Search and IBM OmniFind Enterprise Edition - United States CONFIRM www-01.ibm.com
Pony Mail! MISC lists.apache.org
Pony Mail! MISC lists.apache.org
Pony Mail! MLIST lists.apache.org
IBM A security issue exists in the Verity dashboard that is installed with IBM FileNet Content Search Engine 4.5.1 and IBM Legacy Content Search Engine 5.0.0 - United States CONFIRM www-01.ibm.com
Pony Mail! MLIST lists.apache.org
Pony Mail! MISC lists.apache.org
Pony Mail! MISC lists.apache.org
Pony Mail! MISC lists.apache.org
Security Advisory SA60703 - Debian update for libstruts1.2-java - Secunia SECUNIA secunia.com
Pony Mail! MISC lists.apache.org
Apache Ignite Developers - [CVE-2014-0114]: Apache Ignite is vulnerable to existing CVE-2014-0114 MLIST apache-ignite-developers.2346864.n4.nabble.com
Pony Mail! MLIST lists.apache.org
Security Advisory SA59479 - IBM Records Manager Apache Struts ClassLoader Manipulation Vulnerability - Secunia SECUNIA secunia.com
Pony Mail! MISC lists.apache.org
Pony Mail! MISC lists.apache.org
Pony Mail! MISC lists.apache.org
[BEANUTILS-463] Class loader vulnerability in DefaultResolver - ASF JIRA CONFIRM issues.apache.org
IBM Security Bulletin: Classloader Manipulation Vulnerability in Rational Change (CVE-2014-0114) - United States CONFIRM www-01.ibm.com
Pony Mail! MISC lists.apache.org
Pony Mail! MLIST lists.apache.org
Pony Mail! MISC lists.apache.org
Security Advisory SA59430 - IBM Multiple Products Apache Struts ClassLoader Manipulation Vulnerability - Secunia SECUNIA secunia.com
Pony Mail! MISC lists.apache.org
www.mandriva.com MANDRIVA www.mandriva.com
Debian -- Security Information -- DSA-2940-1 libstruts1.2-java DEBIAN www.debian.org
Pony Mail! MISC lists.apache.org
Pony Mail! MISC lists.apache.org
Pony Mail! MISC lists.apache.org
Security Advisory SA59464 - IBM Multiple Products Apache Struts ClassLoader Manipulation Vulnerability - Secunia SECUNIA secunia.com
Pony Mail! MLIST lists.apache.org
Pony Mail! MISC lists.apache.org
Oracle Critical Patch Update - October 2014 CONFIRM www.oracle.com
Oracle Critical Patch Update - July 2014 CONFIRM www.oracle.com
Pony Mail! MISC lists.apache.org
Pony Mail! MLIST lists.apache.org
Pony Mail! MLIST lists.apache.org
Pony Mail! MLIST lists.apache.org
oss-security - Re: CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE MLIST openwall.com
Pony Mail! MLIST lists.apache.org
Security Advisory SA58710 - IBM WEBi Apache Struts ClassLoader Manipulation Vulnerability - Secunia SECUNIA secunia.com
oss-security - CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE MLIST openwall.com
CVE-2014-0114 Apache Struts Class Suppression Vulnerability in Multiple NetApp Products | NetApp Product Security CONFIRM security.netapp.com
Pony Mail! MLIST lists.apache.org
IBM Security Bulletin: Classloader Manipulation Vulnerability in Lotus Quickr 8.5 for WebSphere Portal CVE-2014-0114 - United States CONFIRM www-01.ibm.com
Pony Mail! MLIST lists.apache.org
CPU Oct 2018 CONFIRM www.oracle.com
Pony Mail! MISC lists.apache.org
Pony Mail! MLIST lists.apache.org
Pony Mail! MISC lists.apache.org
Commons-BeanUtils: Arbitrary code execution (GLSA 201607-09) — Gentoo security GENTOO security.gentoo.org
Pony Mail! MISC lists.apache.org
Pony Mail! MLIST lists.apache.org
SecurityFocus BUGTRAQ www.securityfocus.com
Pony Mail! MISC lists.apache.org
Security Advisory SA59704 - IBM Content Collector Multiple Vulnerabilities - Secunia SECUNIA secunia.com
Pony Mail! MISC lists.apache.org
Pony Mail! MLIST lists.apache.org
Pony Mail! MISC lists.apache.org
Pony Mail! MISC lists.apache.org
IBM Security Bulletin: Classloader Manipulation Vulnerability in IBM WebSphere Application Server shipped with IBM Content Collector (CVE-2014-0114) - United States CONFIRM www-01.ibm.com
IBM Security Bulletin: Open Source Apache Struts V1 ClassLoader manipulation vulnerability (CVE-2014-0114) in IBM Web Interface for Content Management (WEBi) - United States CONFIRM www-01.ibm.com
Pony Mail! MLIST lists.apache.org
Oracle Critical Patch Update - October 2017 CONFIRM www.oracle.com
Pony Mail! MISC lists.apache.org
Pony Mail! MISC lists.apache.org
Pony Mail! MISC lists.apache.org
Pony Mail! MISC lists.apache.org
About Secunia Research | Flexera SECUNIA secunia.com
IBM Security Bulletin: ClassLoader manipulation with Apache Struts affecting Tivoli Provisioning Manager for Software (CVE-2014-0114) - United States CONFIRM www-01.ibm.com
Security Advisory SA59246 - IBM Tivoli Identity Manager / Security Identity Manager Apache Struts ClassLoader Manipulation Vulnerability - Secunia SECUNIA secunia.com
Pony Mail! MISC lists.apache.org
Pony Mail! MLIST lists.apache.org
Pony Mail! MISC lists.apache.org
Red Hat Customer Portal REDHAT access.redhat.com
Pony Mail! MLIST lists.apache.org
Oracle Critical Patch Update Advisory - April 2019 MISC www.oracle.com
Security Advisory SA58947 - IBM Tivoli Storage Productivity Center Apache Struts ClassLoader Manipulation Vulnerability - Secunia SECUNIA secunia.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 983467 Java (maven) Security Update for commons-beanutils:commons-beanutils (GHSA-p66x-2cv9-qq3v)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report