What is the severity of CVE-2013-2115?

CVE-2013-2115 has a high severity level due to its potential for remote command execution and session manipulation.

How do I fix CVE-2013-2115?

To fix CVE-2013-2115, you should upgrade to Apache Struts versions 2.3.14.2 or later.

What types of attacks are possible with CVE-2013-2115?

CVE-2013-2115 can lead to remote command execution, session hijacking, and cross-site scripting (XSS) attacks.

What versions of Apache Struts are affected by CVE-2013-2115?

CVE-2013-2115 affects Apache Struts versions between 2.0.0 and 2.3.14.1.

Is CVE-2013-2115 related to parameter inclusion vulnerabilities?

Yes, CVE-2013-2115 is related to parameter inclusion vulnerabilities that can be exploited via URL and Anchor Tags.

Vulnerability/
CVE-2013-2115

critical

9.3

CWE

94 79

10/7/2013

13/5/2022

3/10/2022

6/8/2024

CVE-2013-2115: Code Injection

First published: Wed Jul 10 2013(Updated: )

A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks. both the s:url and s:a tag provide an includeParams attribute. The main scope of that attribute is to understand whether includes http request parameter or not. The allowed values of includeParams are: none - include no parameters in the URL (default) get - include only GET parameters in the URL all - include both GET and POST parameters in the URL A request that included a specially crafted request parameter could be used to inject arbitrary OGNL code into the stack, afterward used as request parameter of an URL or A tag , which will cause a further evaluation. The second evaluation happens when the URL/A tag tries to resolve every parameters present in the original request. This lets malicious users put arbitrary OGNL statements into any request parameter (not necessarily managed by the code) and have it evaluated as an OGNL expression to enable method execution and execute arbitrary methods, bypassing Struts and OGNL library protections. The issue was originally addressed by Struts 2.3.14.1 and Security Announcement [S2-013](https://cwiki.apache.org/confluence/display/WW/S2-013). However, the solution introduced with 2.3.14.1 did not address all possible attack vectors, such that every version of Struts 2 before 2.3.14.2 is still vulnerable to such attacks.

Credit: secalert@redhat.com

Affected Software	Affected Version	How to fix
maven/org.apache.struts.xwork:xwork-core	>=2.0.0<2.3.14.2	2.3.14.2
maven/org.apache.struts:struts2-core	>=2.0.0<2.3.14.2	2.3.14.2
Apache Struts 2	>=2.0.0<=2.3.14.1

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2013-2115?
CVE-2013-2115 has a high severity level due to its potential for remote command execution and session manipulation.
How do I fix CVE-2013-2115?
To fix CVE-2013-2115, you should upgrade to Apache Struts versions 2.3.14.2 or later.
What types of attacks are possible with CVE-2013-2115?
CVE-2013-2115 can lead to remote command execution, session hijacking, and cross-site scripting (XSS) attacks.
What versions of Apache Struts are affected by CVE-2013-2115?
CVE-2013-2115 affects Apache Struts versions between 2.0.0 and 2.3.14.1.
Is CVE-2013-2115 related to parameter inclusion vulnerabilities?
Yes, CVE-2013-2115 is related to parameter inclusion vulnerabilities that can be exploited via URL and Anchor Tags.

collector/github-advisory-latest
alias/GHSA-7ghm-rpc7-p7g5
alias/CVE-2013-2115
collector/github-advisory
agent/author
agent/type
agent/weakness
agent/softwarecombine
agent/first-publish-date
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/references
agent/severity
agent/event
agent/description
agent/trending
agent/source
agent/tags
collector/nvd-cve
agent/software-canonical-lookup-request
collector/nvd-index
package-manager/maven
vendor/apache
canonical/apache struts 2
version/apache struts 2/2.0.0
version/apache struts 2/2.3.14.1