CVE-2013-2251

Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.
References
Link Resource
http://archiva.apache.org/security.html Product
http://cxsecurity.com/issue/WLB-2014010087 Exploit Third Party Advisory
http://osvdb.org/98445 Broken Link
http://packetstormsecurity.com/files/159629/Apache-Struts-2-Remote-Code-Execution.html Exploit Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2013/Oct/96 Exploit Mailing List Third Party Advisory
http://seclists.org/oss-sec/2014/q1/89 Mailing List Third Party Advisory
http://struts.apache.org/release/2.3.x/docs/s2-016.html Patch
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2 Third Party Advisory
http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html Patch Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html Patch Third Party Advisory
http://www.securityfocus.com/bid/61189 Broken Link Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/64758 Broken Link Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1029184 Broken Link Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1032916 Broken Link Third Party Advisory VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/90392 Third Party Advisory VDB Entry
http://archiva.apache.org/security.html Product
http://cxsecurity.com/issue/WLB-2014010087 Exploit Third Party Advisory
http://osvdb.org/98445 Broken Link
http://packetstormsecurity.com/files/159629/Apache-Struts-2-Remote-Code-Execution.html Exploit Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2013/Oct/96 Exploit Mailing List Third Party Advisory
http://seclists.org/oss-sec/2014/q1/89 Mailing List Third Party Advisory
http://struts.apache.org/release/2.3.x/docs/s2-016.html Patch
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2 Third Party Advisory
http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html Patch Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html Patch Third Party Advisory
http://www.securityfocus.com/bid/61189 Broken Link Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/64758 Broken Link Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1029184 Broken Link Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1032916 Broken Link Third Party Advisory VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/90392 Third Party Advisory VDB Entry
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:archiva:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:archiva:1.2:-:*:*:*:*:*:*
cpe:2.3:a:apache:archiva:1.2.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:a:fujitsu:interstage_business_process_manager_analytics:12.0:*:*:*:*:*:*:*
OR cpe:2.3:o:microsoft:windows_server_2003:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2008:-:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:*:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:a:fujitsu:interstage_business_process_manager_analytics:12.1:*:*:*:*:*:*:*
OR cpe:2.3:a:oracle:solaris:11:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2003:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2008:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:*:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:fujitsu:gp7000f_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:fujitsu:gp7000f:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:fujitsu:primepower_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:fujitsu:primepower:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:fujitsu:gp-s_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:fujitsu:gp-s:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:fujitsu:primergy_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:fujitsu:primergy:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:fujitsu:gp5000_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:fujitsu:gp5000:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:fujitsu:sparc_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:fujitsu:sparc:-:*:*:*:*:*:*:*

Configuration 10 (hide)

OR cpe:2.3:a:oracle:siebel_apps_-_e-billing:6.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:siebel_apps_-_e-billing:6.1.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:siebel_apps_-_e-billing:6.2:*:*:*:*:*:*:*

History

21 Nov 2024, 01:51

Type Values Removed Values Added
References () http://archiva.apache.org/security.html - Product () http://archiva.apache.org/security.html - Product
References () http://cxsecurity.com/issue/WLB-2014010087 - Exploit, Third Party Advisory () http://cxsecurity.com/issue/WLB-2014010087 - Exploit, Third Party Advisory
References () http://osvdb.org/98445 - Broken Link () http://osvdb.org/98445 - Broken Link
References () http://packetstormsecurity.com/files/159629/Apache-Struts-2-Remote-Code-Execution.html - Exploit, Third Party Advisory, VDB Entry () http://packetstormsecurity.com/files/159629/Apache-Struts-2-Remote-Code-Execution.html - Exploit, Third Party Advisory, VDB Entry
References () http://seclists.org/fulldisclosure/2013/Oct/96 - Exploit, Mailing List, Third Party Advisory () http://seclists.org/fulldisclosure/2013/Oct/96 - Exploit, Mailing List, Third Party Advisory
References () http://seclists.org/oss-sec/2014/q1/89 - Mailing List, Third Party Advisory () http://seclists.org/oss-sec/2014/q1/89 - Mailing List, Third Party Advisory
References () http://struts.apache.org/release/2.3.x/docs/s2-016.html - Patch () http://struts.apache.org/release/2.3.x/docs/s2-016.html - Patch
References () http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2 - Third Party Advisory () http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2 - Third Party Advisory
References () http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html - Third Party Advisory () http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html - Third Party Advisory
References () http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html - Patch, Third Party Advisory () http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html - Patch, Third Party Advisory
References () http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html - Patch, Third Party Advisory () http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html - Patch, Third Party Advisory
References () http://www.securityfocus.com/bid/61189 - Broken Link, Third Party Advisory, VDB Entry () http://www.securityfocus.com/bid/61189 - Broken Link, Third Party Advisory, VDB Entry
References () http://www.securityfocus.com/bid/64758 - Broken Link, Third Party Advisory, VDB Entry () http://www.securityfocus.com/bid/64758 - Broken Link, Third Party Advisory, VDB Entry
References () http://www.securitytracker.com/id/1029184 - Broken Link, Third Party Advisory, VDB Entry () http://www.securitytracker.com/id/1029184 - Broken Link, Third Party Advisory, VDB Entry
References () http://www.securitytracker.com/id/1032916 - Broken Link, Third Party Advisory, VDB Entry () http://www.securitytracker.com/id/1032916 - Broken Link, Third Party Advisory, VDB Entry
References () https://exchange.xforce.ibmcloud.com/vulnerabilities/90392 - Third Party Advisory, VDB Entry () https://exchange.xforce.ibmcloud.com/vulnerabilities/90392 - Third Party Advisory, VDB Entry

16 Jul 2024, 17:57

Type Values Removed Values Added
CWE CWE-20 CWE-74
CVSS v2 : 9.3
v3 : unknown
v2 : 9.3
v3 : 9.8
References () http://archiva.apache.org/security.html - () http://archiva.apache.org/security.html - Product
References () http://cxsecurity.com/issue/WLB-2014010087 - () http://cxsecurity.com/issue/WLB-2014010087 - Exploit, Third Party Advisory
References () http://osvdb.org/98445 - () http://osvdb.org/98445 - Broken Link
References () http://packetstormsecurity.com/files/159629/Apache-Struts-2-Remote-Code-Execution.html - () http://packetstormsecurity.com/files/159629/Apache-Struts-2-Remote-Code-Execution.html - Exploit, Third Party Advisory, VDB Entry
References () http://seclists.org/fulldisclosure/2013/Oct/96 - () http://seclists.org/fulldisclosure/2013/Oct/96 - Exploit, Mailing List, Third Party Advisory
References () http://seclists.org/oss-sec/2014/q1/89 - () http://seclists.org/oss-sec/2014/q1/89 - Mailing List, Third Party Advisory
References () http://struts.apache.org/release/2.3.x/docs/s2-016.html - Patch, Vendor Advisory () http://struts.apache.org/release/2.3.x/docs/s2-016.html - Patch
References () http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2 - () http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2 - Third Party Advisory
References () http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html - () http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html - Third Party Advisory
References () http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html - () http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html - Patch, Third Party Advisory
References () http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html - Patch, Vendor Advisory () http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html - Patch, Third Party Advisory
References () http://www.securityfocus.com/bid/61189 - () http://www.securityfocus.com/bid/61189 - Broken Link, Third Party Advisory, VDB Entry
References () http://www.securityfocus.com/bid/64758 - () http://www.securityfocus.com/bid/64758 - Broken Link, Third Party Advisory, VDB Entry
References () http://www.securitytracker.com/id/1029184 - () http://www.securitytracker.com/id/1029184 - Broken Link, Third Party Advisory, VDB Entry
References () http://www.securitytracker.com/id/1032916 - () http://www.securitytracker.com/id/1032916 - Broken Link, Third Party Advisory, VDB Entry
References () https://exchange.xforce.ibmcloud.com/vulnerabilities/90392 - () https://exchange.xforce.ibmcloud.com/vulnerabilities/90392 - Third Party Advisory, VDB Entry
CPE cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:fujitsu:interstage_business_process_manager_analytics:12.1:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2008:-:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:siebel_apps_-_e-billing:6.1:*:*:*:*:*:*:*
cpe:2.3:h:fujitsu:gp5000:-:*:*:*:*:*:*:*
cpe:2.3:h:fujitsu:primergy:-:*:*:*:*:*:*:*
cpe:2.3:a:oracle:siebel_apps_-_e-billing:6.1.1:*:*:*:*:*:*:*
cpe:2.3:a:fujitsu:interstage_business_process_manager_analytics:12.0:*:*:*:*:*:*:*
cpe:2.3:o:fujitsu:primepower_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:fujitsu:gp5000_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:fujitsu:gp7000f:-:*:*:*:*:*:*:*
cpe:2.3:o:fujitsu:primergy_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:fujitsu:sparc:-:*:*:*:*:*:*:*
cpe:2.3:a:apache:archiva:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:siebel_apps_-_e-billing:6.2:*:*:*:*:*:*:*
cpe:2.3:o:fujitsu:sparc_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:fujitsu:gp-s:-:*:*:*:*:*:*:*
cpe:2.3:a:apache:archiva:1.2:-:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:*:*:*:*:*:*:*:*
cpe:2.3:o:fujitsu:gp7000f_firmware:-:*:*:*:*:*:*:*
cpe:2.3:a:oracle:solaris:11:*:*:*:*:*:*:*
cpe:2.3:a:apache:archiva:1.2.2:*:*:*:*:*:*:*
cpe:2.3:h:fujitsu:primepower:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2003:-:*:*:*:*:*:*:*
cpe:2.3:o:fujitsu:gp-s_firmware:-:*:*:*:*:*:*:*
First Time Fujitsu primergy Firmware
Oracle
Fujitsu sparc Firmware
Fujitsu gp5000
Microsoft windows Server 2003
Fujitsu primepower
Fujitsu gp7000f
Fujitsu
Redhat
Oracle siebel Apps - E-billing
Fujitsu primergy
Microsoft
Fujitsu gp-s Firmware
Redhat enterprise Linux
Microsoft windows Server 2008
Fujitsu sparc
Apache archiva
Fujitsu interstage Business Process Manager Analytics
Fujitsu gp7000f Firmware
Microsoft windows Server 2012
Fujitsu gp-s
Fujitsu gp5000 Firmware
Oracle solaris
Fujitsu primepower Firmware

Information

Published : 2013-07-20 03:37

Updated : 2024-11-21 01:51


NVD link : CVE-2013-2251

Mitre link : CVE-2013-2251

CVE.ORG link : CVE-2013-2251


JSON object : View

Products Affected

redhat

  • enterprise_linux

fujitsu

  • sparc
  • gp7000f
  • sparc_firmware
  • gp5000
  • gp7000f_firmware
  • primepower_firmware
  • primergy
  • gp5000_firmware
  • gp-s_firmware
  • primergy_firmware
  • primepower
  • gp-s
  • interstage_business_process_manager_analytics

microsoft

  • windows_server_2012
  • windows_server_2008
  • windows_server_2003

apache

  • archiva
  • struts

oracle

  • siebel_apps_-_e-billing
  • solaris
CWE
CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')