Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-4582

adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    Description

      Hi,

      This is a permanent patch for security issue CVE-2014-0094; this adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)

      This is base on the information in the S2-020

      This close also the CVE-2014-0112, CVE-2014-0113 and CVE-2014-0116

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            lukaszlenart Lukasz Lenart
            victorsosa victorsosa
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment