First published: Tue Jul 16 2013(Updated: )
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
maven/org.apache.struts.xwork:xwork-core | >=2.0.0<2.3.14.3 | 2.3.14.3 |
maven/org.apache.struts:struts2-core | >=2.0.0<2.3.14.3 | 2.3.14.3 |
Apache Struts 2 | >=2.0.0<2.3.14.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2013-2135 has a high severity rating due to its capability to allow remote code execution.
To fix CVE-2013-2135, upgrade to Apache Struts version 2.3.14.3 or later.
CVE-2013-2135 allows remote attackers to execute arbitrary OGNL code.
Apache Struts versions prior to 2.3.14.3 are affected by CVE-2013-2135.
Successful exploitation of CVE-2013-2135 can lead to full control of the affected application server.