CVE-2014-3540

Impact:
Important
Public Date:
2014-05-01
Bugzilla:
1116665: CVE-2014-3540 commons-beanutils: 'class' property is exposed, potentially leading to RCE

The MITRE CVE dictionary describes this issue as:

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-0114. Reason: This candidate is a duplicate of CVE-2014-0114. CVE abstraction content decisions did not require a second ID. Notes: All CVE users should reference CVE-2014-0114 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

Find out more about CVE-2014-3540 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

MITRE has rejected this CVE ID, favoring the use of CVE-2014-0114.

This flaw was the root cause of CVE-2014-0114, a flaw in Apache Struts 1 that could lead to unauthenticated remote code execution under certains conditions. Other frameworks built on commons-beanutils, such as Apache Stripes, are likely to expose similar issues. commons-beanutils 1.9.2 has now shipped, including a specialized BeanIntrospector implementation that allows suppressing properties. Frameworks built on commons-beantutils can make use of the new pre-configured SuppressPropertiesBeanIntrospector to address this flaw.

CVSS v2 metrics

NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.

Base Score 7.5
Base Metrics AV:N/AC:L/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.