CVE-2014-0116

2014-05-08T06:55:02
ID CVE-2014-0116
Type cve
Reporter NVD
Modified 2015-04-16T21:59:08

Description

CookieInterceptor in Apache Struts 2.x before 2.3.16.3, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113.