Vulnerability CVE-2013-2115


Published: 2013-07-10   Modified: 2013-07-13

Description:
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966.

See advisories in our WLB2 database:
Topic
Author
Date
High
Apache Struts includeParams Remote Code Execution
Richard Hicks
03.06.2013

Type:

CWE-94

(Improper Control of Generation of Code ('Code Injection'))

CVSS2 => (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
9.3/10
10/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete
Affected software
Apache -> Struts 

 References:
https://cwiki.apache.org/confluence/display/WW/S2-014
https://bugzilla.redhat.com/show_bug.cgi?id=967656
http://www.securityfocus.com/bid/60167
http://struts.apache.org/development/2.x/docs/s2-014.html

Copyright 2024, cxsecurity.com

 

Back to Top