CVE-2014-0114
Published: 30 April 2014
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
From the Ubuntu Security Team
It was discovered that Apache Commons BeanUtils improperly handled certain input. An attacker could use this vulnerability to execute arbitrary code.
Priority
Status
Package | Release | Status |
---|---|---|
commons-beanutils Launchpad, Ubuntu, Debian |
bionic |
Released
(1.9.3-1ubuntu0.1~esm1)
Available with Ubuntu Pro |
disco |
Not vulnerable
(1.9.2-3)
|
|
eoan |
Not vulnerable
(1.9.2-3)
|
|
focal |
Not vulnerable
(1.9.2-3)
|
|
groovy |
Not vulnerable
(1.9.2-3)
|
|
hirsute |
Not vulnerable
(1.9.2-3)
|
|
impish |
Not vulnerable
(1.9.2-3)
|
|
jammy |
Not vulnerable
(1.9.2-3)
|
|
kinetic |
Not vulnerable
(1.9.2-3)
|
|
lunar |
Not vulnerable
(1.9.2-3)
|
|
trusty |
Released
(1.9.1-1ubuntu0.1~esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
upstream |
Released
(1.9.2-1)
|
|
xenial |
Released
(1.9.2-3ubuntu0.1~esm1)
Available with Ubuntu Pro |
|
libstruts1.2-java Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
precise |
Released
(1.2.9-5+deb7u1build0.12.04.1)
|
|
trusty |
Does not exist
(trusty was needed)
|
|
upstream |
Needs triage
|
|
utopic |
Ignored
(end of life)
|
|
vivid |
Does not exist
|
|
wily |
Does not exist
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|