Apache Struts 2 'class' Parameter ClassLoader Manipulation

medium Nessus Plugin ID 73203

Synopsis

The remote web server contains a web application that uses a Java framework that is affected by a security bypass vulnerability.

Description

The remote web application appears to use Struts 2, a web framework that utilizes OGNL (Object-Graph Navigation Language) as an expression language. The version of Struts 2 in use is affected by a security bypass vulnerability due to the application allowing manipulation of the ClassLoader via the 'class' parameter, which is directly mapped to the getClass() method. A remote, unauthenticated attacker can take advantage of this issue to manipulate the ClassLoader used by the application server, allowing for the bypass of certain security restrictions.

Note that this plugin will only report the first vulnerable instance of a Struts 2 application.

Note also that the application may also be affected by a denial of service vulnerability; however, Nessus has not tested for this additional issue.

Solution

Upgrade to version 2.3.16.2 or later.

See Also

http://www.nessus.org/u?2926fce9

http://www.nessus.org/u?e39cc37e

Plugin Details

Severity: Medium

ID: 73203

File Name: struts_2_3_16_1_classloader_manipulation.nasl

Version: 1.18

Type: remote

Family: CGI abuses

Published: 3/26/2014

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.9

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2014-0094

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apache:struts

Exploit Available: true

Exploit Ease: No exploit is required

Patch Publication Date: 3/5/2014

Vulnerability Publication Date: 3/6/2014

Exploitable With

Core Impact

Metasploit (Apache Struts ClassLoader Manipulation Remote Code Execution)

Reference Information

CVE: CVE-2014-0094

BID: 65999

CERT: 719225