Vulnerability CVE-2013-4310

See in [MITRE] [NVD]

Search:
WLB2

Vulnerability CVE-2013-4310


Published: 2013-09-30   Modified: 2014-01-27

Description:
Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix.


Type:
CWE-264 (Permissions, Privileges, and Access Controls)

Vendor: Apache
Product: Struts 
Version:
2.3.8
2.3.7
2.3.4.1
2.3.4
2.3.3
2.3.15.1
2.3.15
2.3.14.3
2.3.14.2
2.3.14.1
2.3.14
2.3.12
2.3.1.2
2.3.1.1
2.3.1
2.2.3.1
2.2.3
2.2.1.1
2.2.1
2.1.8.1
2.1.8
2.1.6
2.1.5
2.1.4
2.1.3
2.1.2
2.1.1
2.1.0
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.14
2.0.13
2.0.12
2.0.11.2
2.0.11.1
2.0.11
2.0.10
2.0.1
2.0.0

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5.8/10
4.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
None

Related CVE
[ CVE-2014-8108 ]
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.7.x before 1.7.19 and 1.8...
[ CVE-2014-3580 ]
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x...
[ CVE-2014-3583 ]
The handle_headers function in mod_proxy_fcgi.c in the mod_proxy_fcgi module in the Apache ...
[ CVE-2014-7809 ]
Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which a...
[ CVE-2014-7807 ]
Apache CloudStack 4.3.x before 4.3.2 and 4.4.x before 4.4.2 allows remote attackers to bypa...
[ CVE-2014-3627 ]
The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, w...
[ CVE-2014-3629 ]
XML external entity (XXE) vulnerability in the XML Exchange module in Apache Qpid 0.30 allo...
[ CVE-2014-0228 ]
Apache Hive before 0.13.1, when in SQL standards based authorization mode, does not properl...
[ CVE-2014-3501 ]
Apache Cordova Android before 3.5.1 allows remote attackers to bypass the HTTP whitelist an...
[ CVE-2014-3502 ]
Apache Cordova Android before 3.5.1 allows remote attackers to open and send data to arbitr...

References:
http://struts.apache.org/release/2.3.x/docs/s2-018.html
http://archives.neohapsis.com/archives/bugtraq/2013-09/0107.html
http://www.securitytracker.com/id/1029077
http://www.securityfocus.com/bid/64758
http://secunia.com/advisories/56492
http://secunia.com/advisories/56483
http://secunia.com/advisories/54919
http://archives.neohapsis.com/archives/bugtraq/2013-10/0083.html
Copyright 2014, cxsecurity.com