CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.

The version of Apache Struts running on the remote host is 2.x prior to to 2.3.20. It, therefore, is affected by multiple class loader vulnerabilities:

  - A class loader vulnerability exists in ParametersInterceptor due to improper access restriction to the getClass     method. A remote, unauthenticated attacker can exploit this to manipulate the ClassLoader and execute arbitrary     code. (CVE-2014-0112)

  - A class loader vulnerability exists in CookieInterceptor due to improper access restriction to the getClass. A     remote, unauthenticated attacker can exploit this, via a specially crafted request which uses a wildcard cookiesName     value to manipulate the ClassLoader and execute arbitrary code. (CVE-2014-0113)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version, the MySQL Enterprise Monitor running on the remote host is affected by multiple vulnerabilities :

  - A flaw exists within 'MultipartStream.java' in Apache     Commons FileUpload when parsing malformed Content-Type     headers. A remote attacker, using a crafted header,     can exploit this to cause an infinite loop, resulting     in a denial of service. (CVE-2014-0050)

  - Security bypass flaws exist in the ParametersInterceptor     and CookieInterceptor classes, within the included     Apache Struts 2 component, which are due to a failure to     properly restrict access to their getClass() methods. A     remote attacker, using a crafted request, can exploit     these flaws to manipulate the ClassLoader, thus allowing     the execution of arbitrary code or modification of the     session state. Note that vulnerabilities CVE-2014-0112     and CVE-2014-0116 occurred because the patches for     CVE-2014-0094 and CVE-2014-0113, respectively, were not     complete fixes. (CVE-2014-0094, CVE-2014-0112,     CVE-2014-0113, CVE-2014-0116)

According to its self-reported version, the MySQL Enterprise Monitor running on the remote host is affected by multiple vulnerabilities : 

  - A flaw exists within 'MultipartStream.java' in Apache     Commons FileUpload when parsing malformed Content-Type     headers. A remote attacker, using a crafted header,     can exploit this to cause an infinite loop, resulting     in a denial of service. (CVE-2014-0050)

  - Security bypass flaws exist in the ParametersInterceptor     and CookieInterceptor classes, within the included     Apache Struts 2 component, which are due to a failure to     properly restrict access to their getClass() methods. A     remote attacker, using a crafted request, can exploit     these flaws to manipulate the ClassLoader, thus allowing     the execution of arbitrary code or modification of the     session state. Note that vulnerabilities CVE-2014-0112     and CVE-2014-0116 occurred because the patches for     CVE-2014-0094 and CVE-2014-0113, respectively, were not     complete fixes. (CVE-2014-0094, CVE-2014-0112,     CVE-2014-0113, CVE-2014-0116)

The remote web application appears to use Struts 2, a web framework that utilizes OGNL (Object-Graph Navigation Language) as an expression language. The version of Struts 2 in use is affected by a security bypass vulnerability, possibly due to an incomplete fix for ClassLoader manipulation implemented in version 2.3.16.1.

Note that this plugin will only report the first vulnerable instance of a Struts 2 application.

ID	Name	Product	Family	Severity
117457	Apache Struts 2.x < 2.3.20 Multiple ClassLoader Manipulation Vulnerabilities (S2-021)	Nessus	Misc.	high
83295	MySQL Enterprise Monitor 3.0.x < 3.0.11 Multiple Vulnerabilities	Nessus	CGI abuses	high
83293	MySQL Enterprise Monitor < 2.3.17 Multiple Vulnerabilities	Nessus	CGI abuses	high
73763	Apache Struts 2 ClassLoader Manipulation Incomplete Fix for Security Bypass	Nessus	Denial of Service	high

Detections

Analytics

CVE-2014-0113

high

Tenable Plugins

high

high

high

high