Skip to content

Apache struts vulnerability – not as high profile, but still dangerous

CVEdetails has a list of all CVE's

This is a vulnerability that is part of the infrastructure of the Internet webservers (Apache specifically)

connections

But specifically this is CVE-2014-0094

and this is the line that is important:

The ParametersInterceptor in Apache Struts before 2.3.16.1 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.

But it also says that actual access to the system is not possible with this vulnerability, although this is likely a stepping stone and where the hacker can gain more information on the system, so patching is not high priority, although it should be done in your regular patch cycles.

Leave a Reply