CVE-2013-2251
CVE-2013-2251
In short
Apache Struts 2 versions up to 2.3.15 allow attackers to run malicious code on the server by sending specially crafted requests. This happens because the application doesn't properly validate user input before processing it, putting any website using this software at serious risk.
Technical detail
Remote attackers can achieve arbitrary code execution by injecting malicious OGNL (Object-Graph Navigation Language) expressions through HTTP parameters with action:, redirect:, or redirectAction: prefixes. The vulnerability exists due to insufficient input validation in parameter processing, allowing unauthenticated exploitation with critical impact on confidentiality, integrity, and availability.
Summary generated and translated by AI from the official description.
Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/apublic PoCs found — 4
githubgithub.com/nth347/CVE-2013-2251★ 0cve_referencepacketstormsecurity.com/files/159629/Apache-Struts-2-Remote-Code-Execution.htmlunverifiedexploitdbwww.exploit-db.com/exploits/27135unverifiedexploitdbwww.exploit-db.com/exploits/44583unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://archiva.apache.org/security.htmlhttp://cxsecurity.com/issue/WLB-2014010087http://osvdb.org/98445http://packetstormsecurity.com/files/159629/Apache-Struts-2-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2013/Oct/96http://seclists.org/oss-sec/2014/q1/89https://exchange.xforce.ibmcloud.com/vulnerabilities/90392http://struts.apache.org/release/2.3.x/docs/s2-016.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-2251http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.htmlhttp://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html