CVE-2013-2251

Apache Struts Improper Input Validation Vulnerability

Severity Score

9.3

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

*SSVC

Descriptions

Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.

Apache Struts v2.0.0 hasta v2.3.15 permite a atacantes remotos ejecutar expresiones OGNL arbitrarias mediante un parámetro con una (1)acción:, (2) redirect:, o (3) redirectAction:

Struts2 suffers from an OGNL injection vulnerability that allows for redirection. Versions 2.0.0 through 2.3.15 are affected.

Apache Struts allows remote attackers to execute arbitrary Object-Graph Navigation Language (OGNL) expressions.

*Credits: N/A

CVSS Scores

NISTv2 9.3

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2013-02-19 CVE Reserved
2013-07-18 CVE Published
2013-07-27 First Exploit
2022-03-25 Exploited in Wild
2022-04-15 KEV Due Date
2024-08-06 CVE Updated
2024-10-11 EPSS Updated

CWE

CWE-20: Improper Input Validation

CAPEC

References (19)

URL	Tag	Source
http://archiva.apache.org/security.html	X_refsource_confirm
http://cxsecurity.com/issue/WLB-2014010087	X_refsource_misc
http://osvdb.org/98445	Vdb Entry
http://packetstormsecurity.com/files/159629/Apache-Struts-2-Remote-Code-Execution.html	X_refsource_misc
http://seclists.org/fulldisclosure/2013/Oct/96	Mailing List
http://seclists.org/oss-sec/2014/q1/89	Mailing List
http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html	X_refsource_confirm
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html	X_refsource_confirm
http://www.securityfocus.com/bid/61189	Vdb Entry
http://www.securityfocus.com/bid/64758	Vdb Entry
http://www.securitytracker.com/id/1029184	Vdb Entry
http://www.securitytracker.com/id/1032916	Vdb Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/90392	Vdb Entry

URL	Date	SRC
https://www.exploit-db.com/exploits/27135	2013-07-27
https://www.exploit-db.com/exploits/44583	2014-01-14
https://github.com/nth347/CVE-2013-2251	2023-08-04

URL	Date	SRC
http://struts.apache.org/release/2.3.x/docs/s2-016.html	2020-10-20
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html	2020-10-20

URL	Date	SRC
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2	2020-10-20

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.0.0 Search vendor "Apache" for product "Struts" and version "2.0.0"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.0.1 Search vendor "Apache" for product "Struts" and version "2.0.1"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.0.2 Search vendor "Apache" for product "Struts" and version "2.0.2"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.0.3 Search vendor "Apache" for product "Struts" and version "2.0.3"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.0.4 Search vendor "Apache" for product "Struts" and version "2.0.4"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.0.5 Search vendor "Apache" for product "Struts" and version "2.0.5"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.0.6 Search vendor "Apache" for product "Struts" and version "2.0.6"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.0.7 Search vendor "Apache" for product "Struts" and version "2.0.7"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.0.8 Search vendor "Apache" for product "Struts" and version "2.0.8"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.0.9 Search vendor "Apache" for product "Struts" and version "2.0.9"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.0.10 Search vendor "Apache" for product "Struts" and version "2.0.10"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.0.11 Search vendor "Apache" for product "Struts" and version "2.0.11"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.0.11.1 Search vendor "Apache" for product "Struts" and version "2.0.11.1"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.0.11.2 Search vendor "Apache" for product "Struts" and version "2.0.11.2"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.0.12 Search vendor "Apache" for product "Struts" and version "2.0.12"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.0.13 Search vendor "Apache" for product "Struts" and version "2.0.13"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.0.14 Search vendor "Apache" for product "Struts" and version "2.0.14"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.1.0 Search vendor "Apache" for product "Struts" and version "2.1.0"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.1.1 Search vendor "Apache" for product "Struts" and version "2.1.1"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.1.2 Search vendor "Apache" for product "Struts" and version "2.1.2"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.1.3 Search vendor "Apache" for product "Struts" and version "2.1.3"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.1.4 Search vendor "Apache" for product "Struts" and version "2.1.4"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.1.5 Search vendor "Apache" for product "Struts" and version "2.1.5"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.1.6 Search vendor "Apache" for product "Struts" and version "2.1.6"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.1.8 Search vendor "Apache" for product "Struts" and version "2.1.8"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.1.8.1 Search vendor "Apache" for product "Struts" and version "2.1.8.1"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.2.1 Search vendor "Apache" for product "Struts" and version "2.2.1"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.2.1.1 Search vendor "Apache" for product "Struts" and version "2.2.1.1"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.2.3 Search vendor "Apache" for product "Struts" and version "2.2.3"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.2.3.1 Search vendor "Apache" for product "Struts" and version "2.2.3.1"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.3.1 Search vendor "Apache" for product "Struts" and version "2.3.1"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.3.1.1 Search vendor "Apache" for product "Struts" and version "2.3.1.1"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.3.1.2 Search vendor "Apache" for product "Struts" and version "2.3.1.2"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.3.3 Search vendor "Apache" for product "Struts" and version "2.3.3"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.3.4 Search vendor "Apache" for product "Struts" and version "2.3.4"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.3.4.1 Search vendor "Apache" for product "Struts" and version "2.3.4.1"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.3.7 Search vendor "Apache" for product "Struts" and version "2.3.7"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.3.8 Search vendor "Apache" for product "Struts" and version "2.3.8"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.3.12 Search vendor "Apache" for product "Struts" and version "2.3.12"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.3.14 Search vendor "Apache" for product "Struts" and version "2.3.14"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.3.14.1 Search vendor "Apache" for product "Struts" and version "2.3.14.1"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.3.14.2 Search vendor "Apache" for product "Struts" and version "2.3.14.2"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.3.14.3 Search vendor "Apache" for product "Struts" and version "2.3.14.3"		-		Affected
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				2.3.15 Search vendor "Apache" for product "Struts" and version "2.3.15"		-		Affected