Vulnerability CVE-2013-2251


Published: 2013-07-19   Modified: 2016-12-07

Description:
Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.

See advisories in our WLB2 database:
Topic
Author
Date
High
Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
Juan vazquez
27.07.2013
Med.
Apache Struts2 2.3.15 OGNL Injection
Takeshi Terada
14.08.2013
High
Apache Archiva 1.3.6 => Remote Command Execution 0day
Kacper
14.01.2014
High
Struts 2 DefaultActionMapper RCE Exploit S2-016 [Python]
Jonatas Fil
05.07.2017

Vendor: Apache
Product: Struts 
Version:
2.3.8
2.3.7
2.3.4.1
2.3.4
2.3.3
2.3.15
2.3.14.3
2.3.14.2
2.3.14.1
2.3.14
2.3.12
2.3.1.2
2.3.1.1
2.3.1
2.2.3.1
2.2.3
2.2.1.1
2.2.1
2.1.8.1
2.1.8
2.1.6
2.1.5
2.1.4
2.1.3
2.1.2
2.1.1
2.1.0
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.14
2.0.13
2.0.12
2.0.11.2
2.0.11.1
2.0.11
2.0.10
2.0.1
2.0.0

CVSS2 => (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
9.3/10
10/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
http://archiva.apache.org/security.html
http://cxsecurity.com/issue/WLB-2014010087
http://seclists.org/fulldisclosure/2013/Oct/96
http://seclists.org/oss-sec/2014/q1/89
http://struts.apache.org/release/2.3.x/docs/s2-016.html
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2
http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
http://www.securityfocus.com/bid/61189
http://www.securityfocus.com/bid/64758
http://www.securitytracker.com/id/1029184
http://xforce.iss.net/xforce/xfdb/90392

Related CVE
CVE-2017-9801
When a call-site passes a subject for an email that contains line-breaks in Apache Commons Email 1.0 through 1.4, the caller can add arbitrary SMTP headers.
CVE-2016-8743
Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in...
CVE-2016-2161
In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to mod_auth_digest can cause the server to crash, and each instance continues to crash even for subsequently valid requests.
CVE-2016-0736
In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated en...
CVE-2017-7659
A maliciously constructed HTTP/2 request could cause mod_http2 2.4.24, 2.4.25 to dereference a NULL pointer and crash the server process.
CVE-2015-3208
XML external entity (XXE) vulnerability in the XPath selector component in Artemis ActiveMQ before commit 48d9951d879e0c8cbb59d4b64ab59d53ef88310d allows remote attackers to have unspecified impact via unknown vectors.
CVE-2016-6798
In the XSS Protection API module before 1.0.12 in Apache Sling, the method XSS.getValidXML() uses an insecure SAX parser to validate the input string, which allows for XXE attacks in all scripts which use this method to validate user input, potential...
CVE-2016-5394
In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vu...

Copyright 2017, cxsecurity.com