Skip to content

Arbitrary code execution in Apache Commons BeanUtils

High severity GitHub Reviewed Published Jun 10, 2020 to the GitHub Advisory Database • Updated Jun 5, 2024

Package

maven commons-beanutils:commons-beanutils (Maven)

Affected versions

>= 1.8.0, < 1.9.4

Patched versions

1.9.4

Description

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

References

Published by the National Vulnerability Database Apr 30, 2014
Reviewed Jun 10, 2020
Published to the GitHub Advisory Database Jun 10, 2020
Last updated Jun 5, 2024

Severity

High

EPSS score

97.274%
(100th percentile)

Weaknesses

CVE ID

CVE-2014-0114

GHSA ID

GHSA-p66x-2cv9-qq3v

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.