VYPR
← All advisories
High severityNVD Advisory· Published Apr 30, 2014· Updated May 6, 2026

CVE-2014-0114

CVE-2014-0114

Description

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
commons-beanutils:commons-beanutilsMaven
>= 1.8.0, < 1.9.41.9.4

Affected products

18
  • Apache/Commons Beanutils
    cpe:2.3:a:apache:commons_beanutils:*:*:*:*:*:*:*:*
    Range: <=1.9.1
  • Apache/Struts17 versions
    cpe:2.3:a:apache:struts:1.0:*:*:*:*:*:*:*+ 16 more
    • cpe:2.3:a:apache:struts:1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:struts:1.1:b1:*:*:*:*:*:*
    • cpe:2.3:a:apache:struts:1.1:b2:*:*:*:*:*:*
    • cpe:2.3:a:apache:struts:1.1:b3:*:*:*:*:*:*
    • cpe:2.3:a:apache:struts:1.1:rc1:*:*:*:*:*:*
    • cpe:2.3:a:apache:struts:1.1:rc2:*:*:*:*:*:*
    • cpe:2.3:a:apache:struts:1.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:struts:1.2.6:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:struts:1.2.9:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:struts:1.3.10:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:struts:1.3.5:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:struts:1.3.8:*:*:*:*:*:*:*

Patches

1
62e82ad92cf4

BEANUTILS-520: mitigation for CVE-2014-0114

https://github.com/apache/commons-beanutilsRob TompkinsJun 6, 2019via ghsa
commit
6 files changed · +78 0
  • pom.xml+10 0 modified
    @@ -195,6 +195,12 @@
       <timezone>+0</timezone>
       <organization>The Apache Software Foundation</organization>
     </developer>
+    <developer>
+      <id>chtompki</id>
+      <name>Rob Tompkins</name>
+      <email>chtompki@apache.org</email>
+      <organization>The Apache Software Foundation</organization>
+    </developer>
   </developers>
 
   <contributors>
@@ -298,6 +304,10 @@
       <name>Bernhard Seebass</name>
       <email />
     </contributor>
+    <contributor>
+      <name>Melloware</name>
+      <email />
+    </contributor>
   </contributors>
 
   <dependencies>
  • src/changes/changes.xml+6 0 modified
    @@ -29,6 +29,12 @@
   </properties>
   <body>
 
+    <release version="1.9.4" date="2019-06-08" description="Bugfix for CVE-2014-0114">
+      <action issue="BEANUTILS-520" dev="chtompki" type="fix" due-to="Melloware">
+        BeanUtils mitigate CVE-2014-0114.
+      </action>
+    </release>
+
     <release version="1.9.3" date="2016-09-21" description="Bug fix release, now builds with Java 8">
       <action issue="BEANUTILS-433" dev="ggregory" type="update" due-to="Benedikt Ritter, Gary Gregory">
         Update dependency from JUnit 3.8.1 to 4.12.
  • src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java+1 0 modified
    @@ -188,6 +188,7 @@ public void setResolver(final Resolver resolver) {
     public final void resetBeanIntrospectors() {
         introspectors.clear();
         introspectors.add(DefaultBeanIntrospector.INSTANCE);
+        introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
     }
 
     /**
  • src/test/java/org/apache/commons/beanutils/BeanIntrospectionDataTestCase.java+1 0 modified
    @@ -42,6 +42,7 @@ public class BeanIntrospectionDataTestCase extends TestCase {
      */
     private static PropertyDescriptor[] fetchDescriptors() {
         final PropertyUtilsBean pub = new PropertyUtilsBean();
+        pub.removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
         pub.addBeanIntrospector(new FluentPropertyBeanIntrospector());
         return pub.getPropertyDescriptors(BEAN_CLASS);
     }
  • src/test/java/org/apache/commons/beanutils/bugs/Jira157TestCase.java+5 0 modified
    @@ -24,6 +24,8 @@
 import junit.framework.TestSuite;
 
 import org.apache.commons.beanutils.BeanUtils;
+import org.apache.commons.beanutils.BeanUtilsBean;
+import org.apache.commons.beanutils.SuppressPropertiesBeanIntrospector;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
@@ -74,6 +76,9 @@ public static Test suite() {
     @Override
     protected void setUp() throws Exception {
         super.setUp();
+        BeanUtilsBean custom = new BeanUtilsBean();
+        custom.getPropertyUtils().removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
+        BeanUtilsBean.setInstance(custom);
     }
 
     /**
  • src/test/java/org/apache/commons/beanutils/bugs/Jira520TestCase.java+55 0 added
    @@ -0,0 +1,55 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.beanutils.bugs;
+
+import org.apache.commons.beanutils.AlphaBean;
+import org.apache.commons.beanutils.BeanUtilsBean;
+import org.apache.commons.beanutils.SuppressPropertiesBeanIntrospector;
+
+import junit.framework.TestCase;
+
+/**
+ * Fix CVE: https://nvd.nist.gov/vuln/detail/CVE-2014-0114
+ *
+ * @see <a href="https://issues.apache.org/jira/browse/BEANUTILS-520">https://issues.apache.org/jira/browse/BEANUTILS-520</a>
+ */
+public class Jira520TestCase extends TestCase {
+    /**
+     * By default opt-in to security that does not allow access to "class".
+     */
+    public void testSuppressClassPropertyByDefault() throws Exception {
+        final BeanUtilsBean bub = new BeanUtilsBean();
+        final AlphaBean bean = new AlphaBean();
+        try {
+            bub.getProperty(bean, "class");
+            fail("Could access class property!");
+        } catch (final NoSuchMethodException ex) {
+            // ok
+        }
+    }
+
+    /**
+     * Allow opt-out to make your app less secure but allow access to "class".
+     */
+    public void testAllowAccessToClassProperty() throws Exception {
+        final BeanUtilsBean bub = new BeanUtilsBean();
+        bub.getPropertyUtils().removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
+        final AlphaBean bean = new AlphaBean();
+        String result = bub.getProperty(bean, "class");
+        assertEquals("Class property should have been accessed", "class org.apache.commons.beanutils.AlphaBean", result);
+    }
+}
\ No newline at end of file

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

176

News mentions

0

No linked articles in our index yet.