CVE-2013-2251

Опубликовано: 20 июл. 2013

Источник: nvd

CVSS3: 9.8

CVSS2: 9.3

EPSS Критический

Описание

Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.

Ссылки

http://archiva.apache.org/security.html
Product
http://cxsecurity.com/issue/WLB-2014010087
Exploit
Third Party Advisory
http://osvdb.org/98445
Broken Link
http://packetstormsecurity.com/files/159629/Apache-Struts-2-Remote-Code-Execution.html
Exploit
Third Party Advisory
VDB Entry
http://seclists.org/fulldisclosure/2013/Oct/96
Exploit
Mailing List
Third Party Advisory
http://seclists.org/oss-sec/2014/q1/89
Mailing List
Third Party Advisory
http://struts.apache.org/release/2.3.x/docs/s2-016.html
Patch
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2
Third Party Advisory
http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html
Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
Patch
Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
Patch
Third Party Advisory
http://www.securityfocus.com/bid/61189
Broken Link
Third Party Advisory
VDB Entry
http://www.securityfocus.com/bid/64758
Broken Link
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1029184
Broken Link
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1032916
Broken Link
Third Party Advisory
VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/90392
Third Party Advisory
VDB Entry
http://archiva.apache.org/security.html
Product
http://cxsecurity.com/issue/WLB-2014010087
Exploit
Third Party Advisory
http://osvdb.org/98445
Broken Link
http://packetstormsecurity.com/files/159629/Apache-Struts-2-Remote-Code-Execution.html
Exploit
Third Party Advisory
VDB Entry

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:apache:archiva:*:*:*:*:*:*:*:*

Версия от 1.3 (включая) до 1.3.8 (исключая)

cpe:2.3:a:apache:archiva:1.2:-:*:*:*:*:*:*

cpe:2.3:a:apache:archiva:1.2.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*

Версия от 2.0.0 (включая) до 2.3.15 (включая)

Конфигурация 2

Одновременно

cpe:2.3:a:fujitsu:interstage_business_process_manager_analytics:12.0:*:*:*:*:*:*:*

Одно из

cpe:2.3:o:microsoft:windows_server_2003:-:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows_server_2008:-:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:*:*:*:*:*:*:*:*

Версия от 5.0 (включая) до 6.10 (включая)

Конфигурация 3

Одновременно

cpe:2.3:a:fujitsu:interstage_business_process_manager_analytics:12.1:*:*:*:*:*:*:*

Одно из

cpe:2.3:o:microsoft:windows_server_2003:-:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows_server_2008:-:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*

cpe:2.3:o:oracle:solaris:11:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:*:*:*:*:*:*:*:*

Версия от 5.0 (включая) до 6.10 (включая)

Конфигурация 4

Одновременно

cpe:2.3:o:fujitsu:gp7000f_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:fujitsu:gp7000f:-:*:*:*:*:*:*:*

Конфигурация 5

Одновременно

cpe:2.3:o:fujitsu:primepower_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:fujitsu:primepower:-:*:*:*:*:*:*:*

Конфигурация 6

Одновременно

cpe:2.3:o:fujitsu:gp-s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:fujitsu:gp-s:-:*:*:*:*:*:*:*

Конфигурация 7

Одновременно

cpe:2.3:o:fujitsu:primergy_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:fujitsu:primergy:-:*:*:*:*:*:*:*

Конфигурация 8

Одновременно

cpe:2.3:o:fujitsu:gp5000_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:fujitsu:gp5000:-:*:*:*:*:*:*:*

Конфигурация 9

Одновременно

cpe:2.3:o:fujitsu:sparc_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:fujitsu:sparc:-:*:*:*:*:*:*:*

Конфигурация 10

Одно из

cpe:2.3:a:oracle:siebel_apps_-_e-billing:6.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:siebel_apps_-_e-billing:6.1.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:siebel_apps_-_e-billing:6.2:*:*:*:*:*:*:*

EPSS

Процентиль: 100%

0.94328

Критический

9.8 Critical

CVSS3

9.3 Critical

CVSS2

Дефекты

CWE-74

Связанные уязвимости

CVE-2013-2251

CVSS3: 9.8

ubuntu

больше 12 лет назад

Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.

CVE-2013-2251

redhat

больше 12 лет назад

Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.

CVE-2013-2251

CVSS3: 9.8

debian

больше 12 лет назад

Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute ...

GHSA-47qp-8v9g-39hp

CVSS3: 9.8

github

больше 3 лет назад

Code injection in Apache Struts

BDU:2022-05999

CVSS3: 10

fstec

больше 12 лет назад

Уязвимость реализации механизма сопоставления действий DefaultActionMapper программной платформы Apache Struts, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 100%

0.94328

Критический

9.8 Critical

CVSS3

9.3 Critical

CVSS2

Дефекты

CWE-74