Candidate: CVE-2014-0114 PublicDate: 2014-04-30 10:49:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114 https://bugzilla.redhat.com/show_bug.cgi?id=1091938 Description: Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. Ubuntu-Description: It was discovered that Apache Commons BeanUtils improperly handled certain input. An attacker could use this vulnerability to execute arbitrary code. Notes: Bugs: Priority: medium Discovered-by: Assigned-to: CVSS: Patches_libstruts1.2-java: upstream_libstruts1.2-java: needs-triage precise_libstruts1.2-java: released (1.2.9-5+deb7u1build0.12.04.1) precise/esm_libstruts1.2-java: DNE (precise was released [1.2.9-5+deb7u1build0.12.04.1]) trusty_libstruts1.2-java: ignored (reached end-of-life) trusty/esm_libstruts1.2-java: DNE (trusty was needed) utopic_libstruts1.2-java: ignored (reached end-of-life) vivid_libstruts1.2-java: DNE vivid/stable-phone-overlay_libstruts1.2-java: DNE vivid/ubuntu-core_libstruts1.2-java: DNE wily_libstruts1.2-java: DNE xenial_libstruts1.2-java: DNE yakkety_libstruts1.2-java: DNE zesty_libstruts1.2-java: DNE artful_libstruts1.2-java: DNE bionic_libstruts1.2-java: DNE cosmic_libstruts1.2-java: DNE disco_libstruts1.2-java: DNE eoan_libstruts1.2-java: DNE focal_libstruts1.2-java: DNE groovy_libstruts1.2-java: DNE hirsute_libstruts1.2-java: DNE impish_libstruts1.2-java: DNE jammy_libstruts1.2-java: DNE devel_libstruts1.2-java: DNE Patches_commons-beanutils: upstream_commons-beanutils: released (1.9.2-1) precise/esm_commons-beanutils: DNE trusty_commons-beanutils: ignored (out of standard support) trusty/esm_commons-beanutils: needed xenial_commons-beanutils: not-affected (1.9.2-3) bionic_commons-beanutils: not-affected (1.9.2-3) disco_commons-beanutils: not-affected (1.9.2-3) eoan_commons-beanutils: not-affected (1.9.2-3) focal_commons-beanutils: not-affected (1.9.2-3) groovy_commons-beanutils: not-affected (1.9.2-3) hirsute_commons-beanutils: not-affected (1.9.2-3) impish_commons-beanutils: not-affected (1.9.2-3) jammy_commons-beanutils: not-affected (1.9.2-3) devel_commons-beanutils: not-affected (1.9.2-3)