CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113.

According to its self-reported version, the MySQL Enterprise Monitor running on the remote host is affected by multiple vulnerabilities :

  - A flaw exists within 'MultipartStream.java' in Apache     Commons FileUpload when parsing malformed Content-Type     headers. A remote attacker, using a crafted header,     can exploit this to cause an infinite loop, resulting     in a denial of service. (CVE-2014-0050)

  - Security bypass flaws exist in the ParametersInterceptor     and CookieInterceptor classes, within the included     Apache Struts 2 component, which are due to a failure to     properly restrict access to their getClass() methods. A     remote attacker, using a crafted request, can exploit     these flaws to manipulate the ClassLoader, thus allowing     the execution of arbitrary code or modification of the     session state. Note that vulnerabilities CVE-2014-0112     and CVE-2014-0116 occurred because the patches for     CVE-2014-0094 and CVE-2014-0113, respectively, were not     complete fixes. (CVE-2014-0094, CVE-2014-0112,     CVE-2014-0113, CVE-2014-0116)

According to its self-reported version, the MySQL Enterprise Monitor running on the remote host is affected by multiple vulnerabilities : 

  - A flaw exists within 'MultipartStream.java' in Apache     Commons FileUpload when parsing malformed Content-Type     headers. A remote attacker, using a crafted header,     can exploit this to cause an infinite loop, resulting     in a denial of service. (CVE-2014-0050)

  - Security bypass flaws exist in the ParametersInterceptor     and CookieInterceptor classes, within the included     Apache Struts 2 component, which are due to a failure to     properly restrict access to their getClass() methods. A     remote attacker, using a crafted request, can exploit     these flaws to manipulate the ClassLoader, thus allowing     the execution of arbitrary code or modification of the     session state. Note that vulnerabilities CVE-2014-0112     and CVE-2014-0116 occurred because the patches for     CVE-2014-0094 and CVE-2014-0113, respectively, were not     complete fixes. (CVE-2014-0094, CVE-2014-0112,     CVE-2014-0113, CVE-2014-0116)

The remote web application appears to use Struts 2, a Java based web application framework. The version of Struts 2 in use is affected by a security bypass vulnerability due to a flaw with CookieInterceptor. A remote, unauthenticated attacker can exploit this issue to manipulate the ClassLoader and modify a session state to bypass security restrictions.

Note that this vulnerability can only be exploited when a wildcard character is used to configure the 'cookiesName' value.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
83295	MySQL Enterprise Monitor 3.0.x < 3.0.11 Multiple Vulnerabilities	Nessus	CGI abuses	high
83293	MySQL Enterprise Monitor < 2.3.17 Multiple Vulnerabilities	Nessus	CGI abuses	high
73944	Apache Struts 2 CookieInterceptor Unspecified Security Bypass (S2-022)	Nessus	Misc.	medium

Detections

Analytics

CVE-2014-0116

medium

Tenable Plugins

high

high

medium