Apache Struts ClassLoader Manipulation

This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.

Synopsis :

The remote web server contains a web application that uses a Java
framework that is affected by a ClassLoader manipulation

Description :

The remote web application appears to use Struts, a web application
framework. The version of Struts in use contains a flaw that allows
the manipulation of the ClassLoader via the 'class' parameter of an
ActionForm object that results a denial of service.

Note that this vulnerability may be exploited to execute arbitrary
remote code in certain application servers with specific
however, Nessus has not tested for this issue.

Additionally, note that this plugin will only report the first
vulnerable instance of a Struts application.

See also :


Solution :

Unknown at this time. Note that Struts 1 has reached end-of-life and
is no longer supported.

Risk factor :

High / CVSS Base Score : 7.5
CVSS Temporal Score : 6.5
Public Exploit Available : true

Family: Denial of Service

Nessus Plugin ID: 73919 ()

Bugtraq ID: 67121

CVE ID: CVE-2014-0114