CVE-2013-2251

Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.
References
Link Resource
http://archiva.apache.org/security.html Product
http://cxsecurity.com/issue/WLB-2014010087 Exploit Third Party Advisory
http://osvdb.org/98445 Broken Link
http://packetstormsecurity.com/files/159629/Apache-Struts-2-Remote-Code-Execution.html Exploit Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2013/Oct/96 Exploit Mailing List Third Party Advisory
http://seclists.org/oss-sec/2014/q1/89 Mailing List Third Party Advisory
http://struts.apache.org/release/2.3.x/docs/s2-016.html Patch
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2 Third Party Advisory
http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html Patch Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html Patch Third Party Advisory
http://www.securityfocus.com/bid/61189 Broken Link Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/64758 Broken Link Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1029184 Broken Link Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1032916 Broken Link Third Party Advisory VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/90392 Third Party Advisory VDB Entry
http://archiva.apache.org/security.html Product
http://cxsecurity.com/issue/WLB-2014010087 Exploit Third Party Advisory
http://osvdb.org/98445 Broken Link
http://packetstormsecurity.com/files/159629/Apache-Struts-2-Remote-Code-Execution.html Exploit Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2013/Oct/96 Exploit Mailing List Third Party Advisory
http://seclists.org/oss-sec/2014/q1/89 Mailing List Third Party Advisory
http://struts.apache.org/release/2.3.x/docs/s2-016.html Patch
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2 Third Party Advisory
http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html Patch Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html Patch Third Party Advisory
http://www.securityfocus.com/bid/61189 Broken Link Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/64758 Broken Link Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1029184 Broken Link Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1032916 Broken Link Third Party Advisory VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/90392 Third Party Advisory VDB Entry
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:archiva:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:archiva:1.2:-:*:*:*:*:*:*
cpe:2.3:a:apache:archiva:1.2.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:a:fujitsu:interstage_business_process_manager_analytics:12.0:*:*:*:*:*:*:*
OR cpe:2.3:o:microsoft:windows_server_2003:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2008:-:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:*:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:a:fujitsu:interstage_business_process_manager_analytics:12.1:*:*:*:*:*:*:*
OR cpe:2.3:o:microsoft:windows_server_2003:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2008:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
cpe:2.3:o:oracle:solaris:11:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:*:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:fujitsu:gp7000f_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:fujitsu:gp7000f:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:fujitsu:primepower_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:fujitsu:primepower:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:fujitsu:gp-s_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:fujitsu:gp-s:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:fujitsu:primergy_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:fujitsu:primergy:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:fujitsu:gp5000_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:fujitsu:gp5000:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:fujitsu:sparc_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:fujitsu:sparc:-:*:*:*:*:*:*:*

Configuration 10 (hide)

OR cpe:2.3:a:oracle:siebel_apps_-_e-billing:6.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:siebel_apps_-_e-billing:6.1.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:siebel_apps_-_e-billing:6.2:*:*:*:*:*:*:*

History

27 Nov 2024, 16:07

Type Values Removed Values Added
CPE cpe:2.3:a:oracle:solaris:11:*:*:*:*:*:*:* cpe:2.3:o:oracle:solaris:11:*:*:*:*:*:*:*

21 Nov 2024, 01:51

Type Values Removed Values Added
References () http://archiva.apache.org/security.html - Product () http://archiva.apache.org/security.html - Product
References () http://cxsecurity.com/issue/WLB-2014010087 - Exploit, Third Party Advisory () http://cxsecurity.com/issue/WLB-2014010087 - Exploit, Third Party Advisory
References () http://osvdb.org/98445 - Broken Link () http://osvdb.org/98445 - Broken Link
References () http://packetstormsecurity.com/files/159629/Apache-Struts-2-Remote-Code-Execution.html - Exploit, Third Party Advisory, VDB Entry () http://packetstormsecurity.com/files/159629/Apache-Struts-2-Remote-Code-Execution.html - Exploit, Third Party Advisory, VDB Entry
References () http://seclists.org/fulldisclosure/2013/Oct/96 - Exploit, Mailing List, Third Party Advisory () http://seclists.org/fulldisclosure/2013/Oct/96 - Exploit, Mailing List, Third Party Advisory
References () http://seclists.org/oss-sec/2014/q1/89 - Mailing List, Third Party Advisory () http://seclists.org/oss-sec/2014/q1/89 - Mailing List, Third Party Advisory
References () http://struts.apache.org/release/2.3.x/docs/s2-016.html - Patch () http://struts.apache.org/release/2.3.x/docs/s2-016.html - Patch
References () http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2 - Third Party Advisory () http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2 - Third Party Advisory
References () http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html - Third Party Advisory () http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html - Third Party Advisory
References () http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html - Patch, Third Party Advisory () http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html - Patch, Third Party Advisory
References () http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html - Patch, Third Party Advisory () http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html - Patch, Third Party Advisory
References () http://www.securityfocus.com/bid/61189 - Broken Link, Third Party Advisory, VDB Entry () http://www.securityfocus.com/bid/61189 - Broken Link, Third Party Advisory, VDB Entry
References () http://www.securityfocus.com/bid/64758 - Broken Link, Third Party Advisory, VDB Entry () http://www.securityfocus.com/bid/64758 - Broken Link, Third Party Advisory, VDB Entry
References () http://www.securitytracker.com/id/1029184 - Broken Link, Third Party Advisory, VDB Entry () http://www.securitytracker.com/id/1029184 - Broken Link, Third Party Advisory, VDB Entry
References () http://www.securitytracker.com/id/1032916 - Broken Link, Third Party Advisory, VDB Entry () http://www.securitytracker.com/id/1032916 - Broken Link, Third Party Advisory, VDB Entry
References () https://exchange.xforce.ibmcloud.com/vulnerabilities/90392 - Third Party Advisory, VDB Entry () https://exchange.xforce.ibmcloud.com/vulnerabilities/90392 - Third Party Advisory, VDB Entry

16 Jul 2024, 17:57

Type Values Removed Values Added
First Time Fujitsu primepower
Oracle
Redhat
Microsoft windows Server 2012
Fujitsu primepower Firmware
Fujitsu gp-s
Oracle siebel Apps - E-billing
Microsoft
Oracle solaris
Fujitsu gp7000f
Fujitsu sparc
Fujitsu gp-s Firmware
Fujitsu sparc Firmware
Fujitsu primergy
Fujitsu primergy Firmware
Fujitsu gp5000
Microsoft windows Server 2003
Fujitsu
Fujitsu gp7000f Firmware
Redhat enterprise Linux
Fujitsu interstage Business Process Manager Analytics
Microsoft windows Server 2008
Apache archiva
Fujitsu gp5000 Firmware
References () http://archiva.apache.org/security.html - () http://archiva.apache.org/security.html - Product
References () http://cxsecurity.com/issue/WLB-2014010087 - () http://cxsecurity.com/issue/WLB-2014010087 - Exploit, Third Party Advisory
References () http://osvdb.org/98445 - () http://osvdb.org/98445 - Broken Link
References () http://packetstormsecurity.com/files/159629/Apache-Struts-2-Remote-Code-Execution.html - () http://packetstormsecurity.com/files/159629/Apache-Struts-2-Remote-Code-Execution.html - Exploit, Third Party Advisory, VDB Entry
References () http://seclists.org/fulldisclosure/2013/Oct/96 - () http://seclists.org/fulldisclosure/2013/Oct/96 - Exploit, Mailing List, Third Party Advisory
References () http://seclists.org/oss-sec/2014/q1/89 - () http://seclists.org/oss-sec/2014/q1/89 - Mailing List, Third Party Advisory
References () http://struts.apache.org/release/2.3.x/docs/s2-016.html - Patch, Vendor Advisory () http://struts.apache.org/release/2.3.x/docs/s2-016.html - Patch
References () http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2 - () http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2 - Third Party Advisory
References () http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html - () http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html - Third Party Advisory
References () http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html - () http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html - Patch, Third Party Advisory
References () http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html - Patch, Vendor Advisory () http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html - Patch, Third Party Advisory
References () http://www.securityfocus.com/bid/61189 - () http://www.securityfocus.com/bid/61189 - Broken Link, Third Party Advisory, VDB Entry
References () http://www.securityfocus.com/bid/64758 - () http://www.securityfocus.com/bid/64758 - Broken Link, Third Party Advisory, VDB Entry
References () http://www.securitytracker.com/id/1029184 - () http://www.securitytracker.com/id/1029184 - Broken Link, Third Party Advisory, VDB Entry
References () http://www.securitytracker.com/id/1032916 - () http://www.securitytracker.com/id/1032916 - Broken Link, Third Party Advisory, VDB Entry
References () https://exchange.xforce.ibmcloud.com/vulnerabilities/90392 - () https://exchange.xforce.ibmcloud.com/vulnerabilities/90392 - Third Party Advisory, VDB Entry
CPE cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:*
cpe:2.3:a:oracle:siebel_apps_-_e-billing:6.1.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:archiva:*:*:*:*:*:*:*:*
cpe:2.3:h:fujitsu:primepower:-:*:*:*:*:*:*:*
cpe:2.3:o:fujitsu:gp-s_firmware:-:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:solaris:11:*:*:*:*:*:*:*
cpe:2.3:a:oracle:siebel_apps_-_e-billing:6.2:*:*:*:*:*:*:*
cpe:2.3:a:fujitsu:interstage_business_process_manager_analytics:12.1:*:*:*:*:*:*:*
cpe:2.3:h:fujitsu:gp5000:-:*:*:*:*:*:*:*
cpe:2.3:h:fujitsu:sparc:-:*:*:*:*:*:*:*
cpe:2.3:o:fujitsu:primepower_firmware:-:*:*:*:*:*:*:*
cpe:2.3:a:apache:archiva:1.2.2:*:*:*:*:*:*:*
cpe:2.3:o:fujitsu:sparc_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:fujitsu:gp7000f_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:fujitsu:primergy:-:*:*:*:*:*:*:*
cpe:2.3:o:fujitsu:gp5000_firmware:-:*:*:*:*:*:*:*
cpe:2.3:a:apache:archiva:1.2:-:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2003:-:*:*:*:*:*:*:*
cpe:2.3:a:fujitsu:interstage_business_process_manager_analytics:12.0:*:*:*:*:*:*:*
cpe:2.3:h:fujitsu:gp7000f:-:*:*:*:*:*:*:*
cpe:2.3:a:oracle:siebel_apps_-_e-billing:6.1:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2008:-:*:*:*:*:*:*:*
cpe:2.3:o:fujitsu:primergy_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
cpe:2.3:h:fujitsu:gp-s:-:*:*:*:*:*:*:*
CVSS v2 : 9.3
v3 : unknown
v2 : 9.3
v3 : 9.8
CWE CWE-20 CWE-74

Information

Published : 2013-07-20 03:37

Updated : 2025-04-11 00:51


NVD link : CVE-2013-2251

Mitre link : CVE-2013-2251

CVE.ORG link : CVE-2013-2251


JSON object : View

Products Affected

fujitsu

  • primergy_firmware
  • sparc_firmware
  • gp5000
  • gp-s
  • primepower
  • gp7000f
  • primepower_firmware
  • primergy
  • sparc
  • gp7000f_firmware
  • gp5000_firmware
  • gp-s_firmware
  • interstage_business_process_manager_analytics

microsoft

  • windows_server_2012
  • windows_server_2003
  • windows_server_2008

apache

  • archiva
  • struts

redhat

  • enterprise_linux

oracle

  • solaris
  • siebel_apps_-_e-billing
CWE
CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')