摘要:
CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to manipulate the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113.
安全等级: Low
公告ID: KylinSec-SA-2022-1700
发布日期: 2022年7月30日
关联CVE: CVE-2014-0116
CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to manipulate the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113.
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2014-0116 | KY3.4-4A | struts | Unaffected |
| CVE-2014-0116 | KY3.4-5 | struts | Unaffected |
| CVE-2014-0116 | KY3.5.1 | struts | Unaffected |
