Vulnerability CVE-2013-2251


Published: 2013-07-19   Modified: 2016-12-07

Description:
Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.

See advisories in our WLB2 database:
Topic
Author
Date
High
Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
Juan vazquez
27.07.2013
Med.
Apache Struts2 2.3.15 OGNL Injection
Takeshi Terada
14.08.2013
High
Apache Archiva 1.3.6 => Remote Command Execution 0day
Kacper
14.01.2014

Vendor: Apache
Product: Struts 
Version:
2.3.8
2.3.7
2.3.4.1
2.3.4
2.3.3
2.3.15
2.3.14.3
2.3.14.2
2.3.14.1
2.3.14
2.3.12
2.3.1.2
2.3.1.1
2.3.1
2.2.3.1
2.2.3
2.2.1.1
2.2.1
2.1.8.1
2.1.8
2.1.6
2.1.5
2.1.4
2.1.3
2.1.2
2.1.1
2.1.0
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.14
2.0.13
2.0.12
2.0.11.2
2.0.11.1
2.0.11
2.0.10
2.0.1
2.0.0

CVSS2 => (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
9.3/10
10/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
http://archiva.apache.org/security.html
http://cxsecurity.com/issue/WLB-2014010087
http://seclists.org/fulldisclosure/2013/Oct/96
http://seclists.org/oss-sec/2014/q1/89
http://struts.apache.org/release/2.3.x/docs/s2-016.html
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2
http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
http://www.securityfocus.com/bid/61189
http://www.securityfocus.com/bid/64758
http://www.securitytracker.com/id/1029184
http://xforce.iss.net/xforce/xfdb/90392

Related CVE
CVE-2015-3254
The client libraries in Apache Thrift before 0.9.3 might allow remote authenticated users to cause a denial of service (infinite recursion) via vectors involving the skip function.
CVE-2017-7676
Policy resource matcher in Apache Ranger before 0.7.1 ignores characters after '*' wildcard character - like my*test, test*.txt. This can result in unintended behavior.
CVE-2017-7677
In environments that use external location for hive tables, Hive Authorizer in Apache Ranger before 0.7.1 should be checking RWX permission for create table.
CVE-2016-8751
Apache Ranger before 0.6.is vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies.
CVE-2016-8746
Apache Ranger before 0.6.3 policy engine incorrectly matches paths in certain conditions when policy does not contain wildcards and has recursion flag set to true.
CVE-2017-7667
Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow framing with the same origin.
CVE-2017-7665
In Apache NiFi before 0.7.4 and 1.x before 1.3.0, there are certain user input components in the UI which had been guarding for some forms of XSS issues but were insufficient.
CVE-2015-5175
Application plugins in Apache CXF Fediz before 1.1.3 and 1.2.x before 1.2.1 allow remote attackers to cause a denial of service.

Copyright 2017, cxsecurity.com