Candidate: CVE-2014-0116
PublicDate: 2014-05-08 10:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0116
 https://cwiki.apache.org/confluence/display/WW/S2-022
 http://struts.apache.org/release/2.3.x/docs/s2-022.html
Description:
 CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard
 cookiesName value is used, does not properly restrict access to the
 getClass method, which allows remote attackers to "manipulate" the
 ClassLoader and modify session state via a crafted request. NOTE: this
 vulnerability exists because of an incomplete fix for CVE-2014-0113.
Ubuntu-Description:
Notes:
 jdstrand> per Debian: <not-affected> (Struts 2.0.0 through to Struts 2.3.16.2)
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_libstruts1.2-java:
upstream_libstruts1.2-java: not-affected
lucid_libstruts1.2-java: not-affected
precise_libstruts1.2-java: not-affected
quantal_libstruts1.2-java: not-affected
saucy_libstruts1.2-java: not-affected
trusty_libstruts1.2-java: not-affected
trusty/esm_libstruts1.2-java: DNE (trusty was not-affected)
devel_libstruts1.2-java: not-affected