CVE-2014-0114
Summary
| CVE | CVE-2014-0114 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2014-04-30 10:49:03 UTC |
| Updated | 2026-05-06 22:30:45 UTC |
| Description | Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. |
Risk And Classification
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
LowAuthentication
NoneConfidentiality
PartialIntegrity
PartialAvailability
PartialAV:N/AC:L/Au:N/C:P/I:P/A:P
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Commons Beanutils | All | All | All | All |
| Application | Apache | Struts | 1.0 | All | All | All |
| Application | Apache | Struts | 1.0.2 | All | All | All |
| Application | Apache | Struts | 1.1 | All | All | All |
| Application | Apache | Struts | 1.1 | b1 | All | All |
| Application | Apache | Struts | 1.1 | b2 | All | All |
| Application | Apache | Struts | 1.1 | b3 | All | All |
| Application | Apache | Struts | 1.1 | rc1 | All | All |
| Application | Apache | Struts | 1.1 | rc2 | All | All |
| Application | Apache | Struts | 1.2.2 | All | All | All |
| Application | Apache | Struts | 1.2.4 | All | All | All |
| Application | Apache | Struts | 1.2.6 | All | All | All |
| Application | Apache | Struts | 1.2.7 | All | All | All |
| Application | Apache | Struts | 1.2.8 | All | All | All |
| Application | Apache | Struts | 1.2.9 | All | All | All |
| Application | Apache | Struts | 1.3.10 | All | All | All |
| Application | Apache | Struts | 1.3.5 | All | All | All |
| Application | Apache | Struts | 1.3.8 | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| IBM Security Bulletin: ClassLoader manipulation with Apache Struts affecting Tivoli Provisioning Manager for Software (CVE-2014-0114) - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| IBM Security Bulletin: ClassLoader manipulation with Apache Struts affecting Tivoli Storage Productivity Center (CVE-2014-0114) - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| CPU Oct 2018 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| '[security bulletin] HPSBGN03041 rev.1 - HP IceWall Configuration Manager running Apache Struts, Remo' - MARC | af854a3a-2127-422b-91ae-364da2661108 | marc.info | |
| Security Advisory SA58947 - IBM Tivoli Storage Productivity Center Apache Struts ClassLoader Manipulation Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Security Advisory SA59704 - IBM Content Collector Multiple Vulnerabilities - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| IBM Security Bulletin: ClassLoader manipulation with Apache Struts affecting IBM Tivoli Identity Manager/IBM Security Identity Manager (CVE-2014-0114) - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| Security Advisory SA59246 - IBM Tivoli Identity Manager / Security Identity Manager Apache Struts ClassLoader Manipulation Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Security Advisory SA59118 - IBM InfoSphere Identity Insight Apache Struts ClassLoader Manipulation Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| [BEANUTILS-463] Class loader vulnerability in DefaultResolver - ASF JIRA | af854a3a-2127-422b-91ae-364da2661108 | issues.apache.org | |
| '[security bulletin] HPSBST03160 rev.1 - HP XP Command View Advanced Edition running Apache Struts, R' - MARC | af854a3a-2127-422b-91ae-364da2661108 | marc.info | |
| IBM Security Bulletin: One vulnerability in IBM FileNet Content Manager, IBM Content Foundation, IBM FileNet Content Federation Services and IBM FileNet Legacy Content Search Engine (CVE-2014-0114) - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | access.redhat.com | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| www.mandriva.com | af854a3a-2127-422b-91ae-364da2661108 | www.mandriva.com | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Security Advisory SA59480 - IBM Content Manager Records Enabler Apache Struts ClassLoader Manipulation Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Bug 1116665 – CVE-2014-3540 commons-beanutils: 'class' property is exposed, potentially leading to RCE | af854a3a-2127-422b-91ae-364da2661108 | bugzilla.redhat.com | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Security Bulletin: IBM Security SiteProtector System can be affected by a vulnerability in IBM Global Security Kit (CVE-2014-0963) and in Apache Struts V1.x (CVE-2014-0114) | af854a3a-2127-422b-91ae-364da2661108 | www.ibm.com | |
| Apache Struts ClassLoader Manipulation CVE-2014-0114 Security Bypass Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | |
| Oracle Critical Patch Update - October 2016 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Oracle Critical Patch Update - July 2019 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| IBM Security Bulletin: ClassLoader manipulation with Apache Struts affecting InfoSphere Identity Insight (CVE-2014-0114) - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| IBM Security Bulletin: Classloader Manipulation Vulnerability in Lotus Quickr 8.5 for WebSphere Portal CVE-2014-0114 - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| IBM Security Bulletin: Open Source Apache Struts V1 ClassLoader manipulation vulnerability (CVE-2014-0114) in IBM Web Interface for Content Management (WEBi) - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| Oracle Critical Patch Update - October 2014 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| Oracle Critical Patch Update - January 2019 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| IBM Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 7.0.0.33 - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| '[security bulletin] HPSBMU03090 rev.1 - HP SiteScope, running Apache Struts, Remote Execution of Arb' - MARC | af854a3a-2127-422b-91ae-364da2661108 | marc.info | |
| Security Advisory SA57477 - IBM Tivoli Application Dependency Discovery Manager Apache Struts ClassLoader Manipulation Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Security Advisory SA59479 - IBM Records Manager Apache Struts ClassLoader Manipulation Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Security Advisory SA59464 - IBM Multiple Products Apache Struts ClassLoader Manipulation Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Does CVE-2014-0114 affect Struts 1 in Red Hat products? - Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | access.redhat.com | |
| Document Display | HPE Support Center | af854a3a-2127-422b-91ae-364da2661108 | h20566.www2.hpe.com | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| SecurityFocus | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | |
| CVE-2014-0114 Apache Struts Class Suppression Vulnerability in Multiple NetApp Products | NetApp Product Security | af854a3a-2127-422b-91ae-364da2661108 | security.netapp.com | |
| IBM A security issue exists in the Verity dashboard that is installed with IBM FileNet Content Search Engine 4.5.1 and IBM Legacy Content Search Engine 5.0.0 - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| Security Advisory SA59245 - IBM Security SiteProtector Two Vulnerabilities - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Oracle Critical Patch Update - July 2014 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| April 2018 Apache Struts Vulnerabilities in NetApp Products | NetApp Product Security | af854a3a-2127-422b-91ae-364da2661108 | security.netapp.com | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| About Secunia Research | Flexera | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Security Advisory SA59430 - IBM Multiple Products Apache Struts ClassLoader Manipulation Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| IBM Security Bulletin: Open Source Apache Struts V1 ClassLoader manipulation vulnerability (CVE-2014-0114) in IBM Content Analytics with Enterprise Search and IBM OmniFind Enterprise Edition - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Oracle Critical Patch Update - October 2017 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | access.redhat.com | |
| oss-security - Re: CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE | af854a3a-2127-422b-91ae-364da2661108 | openwall.com | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Security Advisory SA59228 - IBM InfoSphere Data Click Apache Struts ClassLoader Manipulation Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Oracle Critical Patch Update - January 2018 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| Security Advisory SA58851 - IBM Lotus Quickr for WebSphere Portal Apache Struts ClassLoader Manipulation Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Security Advisory SA58710 - IBM WEBi Apache Struts ClassLoader Manipulation Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| VMSA-2014-0008.2 | United States | af854a3a-2127-422b-91ae-364da2661108 | www.vmware.com | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Security Advisory SA60177 - HP SiteScope Apache Struts ClassLoader Manipulation Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Mageia Advisory: MGASA-2014-0219 - Updated struts packages fix CVE-2014-0114 | af854a3a-2127-422b-91ae-364da2661108 | advisories.mageia.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| IBM Security Bulletin: ClassLoader manipulation with Apache Struts affecting IBM Records Manager, IBM Content Manager Records Enabler and WebSphere Application Server shipped with IBM Records Manager (CVE-2014-0114) - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| Debian -- Security Information -- DSA-2940-1 libstruts1.2-java | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | |
| Security Advisory SA60703 - Debian update for libstruts1.2-java - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt | af854a3a-2127-422b-91ae-364da2661108 | commons.apache.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| IBM Security Bulletin: Classloader Manipulation Vulnerability in Rational Change (CVE-2014-0114) - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| Oracle Critical Patch Update Advisory - April 2019 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| IBM Security Bulletin: Classloader Manipulation Vulnerability in IBM WebSphere Application Server shipped with IBM Content Collector (CVE-2014-0114) - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| IBM Security Bulletin: Multiple IBM InfoSphere Information Server components are vulnerable due to ClassLoader manipulation vulnerability in Open Source Apache Struts version 1 (CVE-2014-0114) - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| oss-security - CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE | af854a3a-2127-422b-91ae-364da2661108 | openwall.com | |
| CPU July 2018 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Oracle Critical Patch Update - January 2015 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| Bug 1091938 – CVE-2014-0114 Apache Struts 1: Class Loader manipulation via request parameters | af854a3a-2127-422b-91ae-364da2661108 | bugzilla.redhat.com | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Security Advisory SA59014 - IBM Rational Change Apache Struts ClassLoader Manipulation Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Full Disclosure: NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities | af854a3a-2127-422b-91ae-364da2661108 | seclists.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| [SECURITY] Fedora 20 Update: struts-1.3.10-10.fc20 | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Apache Ignite Developers - [CVE-2014-0114]: Apache Ignite is vulnerable to existing CVE-2014-0114 | af854a3a-2127-422b-91ae-364da2661108 | apache-ignite-developers.2346864.n4.nabble.com | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| VMSA-2014-0012 | United States | af854a3a-2127-422b-91ae-364da2661108 | www.vmware.com | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Commons-BeanUtils: Arbitrary code execution (GLSA 201607-09) — Gentoo security | af854a3a-2127-422b-91ae-364da2661108 | security.gentoo.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 983467 Java (maven) Security Update for commons-beanutils:commons-beanutils (GHSA-p66x-2cv9-qq3v)