Apache Struts: CVE-2014-0094 and CVE 2014-0050

Struts is an extensible framework used for creating enterprise Java Web Applications. In Struts 1.x there is a problem related to how the ActionForm bean population machanism works, whereas in Struts 2.x there is an issue in how ParametersInterceptor allows access to the ‘class’ parameter that is directly mapped to the getClass() method and allows ClassLoader manipulation. Long story short, this can allow attackers to execute arbitrary Java code remotely.

Read More