CVE-2013-2251: Apache Struts Improper Input Validation Vulnerability
First published: Thu Jul 18 2013(Updated: )
Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Struts | =2.0.0 | |
| Apache Struts | =2.0.1 | |
| Apache Struts | =2.0.2 | |
| Apache Struts | =2.0.3 | |
| Apache Struts | =2.0.4 | |
| Apache Struts | =2.0.5 | |
| Apache Struts | =2.0.6 | |
| Apache Struts | =2.0.7 | |
| Apache Struts | =2.0.8 | |
| Apache Struts | =2.0.9 | |
| Apache Struts | =2.0.10 | |
| Apache Struts | =2.0.11 | |
| Apache Struts | =2.0.11.1 | |
| Apache Struts | =2.0.11.2 | |
| Apache Struts | =2.0.12 | |
| Apache Struts | =2.0.13 | |
| Apache Struts | =2.0.14 | |
| Apache Struts | =2.1.0 | |
| Apache Struts | =2.1.1 | |
| Apache Struts | =2.1.2 | |
| Apache Struts | =2.1.3 | |
| Apache Struts | =2.1.4 | |
| Apache Struts | =2.1.5 | |
| Apache Struts | =2.1.6 | |
| Apache Struts | =2.1.8 | |
| Apache Struts | =2.1.8.1 | |
| Apache Struts | =2.2.1 | |
| Apache Struts | =2.2.1.1 | |
| Apache Struts | =2.2.3 | |
| Apache Struts | =2.2.3.1 | |
| Apache Struts | =2.3.1 | |
| Apache Struts | =2.3.1.1 | |
| Apache Struts | =2.3.1.2 | |
| Apache Struts | =2.3.3 | |
| Apache Struts | =2.3.4 | |
| Apache Struts | =2.3.4.1 | |
| Apache Struts | =2.3.7 | |
| Apache Struts | =2.3.8 | |
| Apache Struts | =2.3.12 | |
| Apache Struts | =2.3.14 | |
| Apache Struts | =2.3.14.1 | |
| Apache Struts | =2.3.14.2 | |
| Apache Struts | =2.3.14.3 | |
| Apache Struts | =2.3.15 | |
| maven/org.apache.struts:struts2-core | <2.3.15.1 | 2.3.15.1 |
| Apache Struts | ||
| Apache Archiva | >=1.3<1.3.8 | |
| Apache Archiva | =1.2 | |
| Apache Archiva | =1.2.2 | |
| Apache Struts | >=2.0.0<=2.3.15 | |
| All of | ||
| Fujitsu Interstage Business Process Manager Analytics | =12.0 | |
| Any of | ||
| Microsoft Windows Server 2003 | ||
| Microsoft Windows Server 2008 | ||
| Redhat Enterprise Linux | >=5.0<=6.10 | |
| All of | ||
| Fujitsu Interstage Business Process Manager Analytics | =12.1 | |
| Any of | ||
| Microsoft Windows Server 2003 | ||
| Microsoft Windows Server 2008 | ||
| Microsoft Windows Server 2012 | ||
| Oracle Solaris | =11 | |
| Redhat Enterprise Linux | >=5.0<=6.10 | |
| All of | ||
| Fujitsu Gp7000f Firmware | ||
| Fujitsu Gp7000f | ||
| All of | ||
| Fujitsu Primepower Firmware | ||
| Fujitsu Primepower | ||
| All of | ||
| Fujitsu Gp-s Firmware | ||
| Fujitsu Gp-s | ||
| All of | ||
| Fujitsu Primergy Firmware | ||
| Fujitsu Primergy | ||
| All of | ||
| Fujitsu Gp5000 Firmware | ||
| Fujitsu Gp5000 | ||
| All of | ||
| Fujitsu Sparc Firmware | ||
| Fujitsu Sparc | ||
| Oracle Siebel Apps - E-billing | =6.1 | |
| Oracle Siebel Apps - E-billing | =6.1.1 | |
| Oracle Siebel Apps - E-billing | =6.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2013-2251
- https://exchange.xforce.ibmcloud.com/vulnerabilities/90392
- http://archiva.apache.org/security.html
- http://cxsecurity.com/issue/WLB-2014010087
- http://packetstormsecurity.com/files/159629/Apache-Struts-2-Remote-Code-Execution.html
- http://seclists.org/fulldisclosure/2013/Oct/96
- http://seclists.org/oss-sec/2014/q1/89
- http://struts.apache.org/release/2.3.x/docs/s2-016.html
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2
- http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html
- https://github.com/apache/struts/commit/3cfe34fefedcf0fdcfcb061c0aea34a715b7de6
- https://github.com/apache/struts/commit/630e1ba065a8215c4e9ac03bfb09be9d655c2b6e
- https://issues.apache.org/jira/browse/WW-4140
- https://github.com/advisories/GHSA-47qp-8v9g-39hp (Advisory)
- http://osvdb.org/98445
- http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
- http://www.securityfocus.com/bid/61189
- http://www.securityfocus.com/bid/64758
- http://www.securitytracker.com/id/1029184
- http://www.securitytracker.com/id/1032916
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-47qp-8v9g-39hp
- alias/CVE-2013-2251
- collector/github-advisory
- agent/type
- agent/title
- agent/references
- agent/weakness
- agent/remedy
- agent/author
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/first-publish-date
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/tags
- agent/event
- collector/nvd-cve
- agent/softwarecombine
- agent/trending
- vendor/apache
- canonical/apache struts
- version/apache struts/2.0.0
- version/apache struts/2.0.1
- version/apache struts/2.0.2
- version/apache struts/2.0.3
- version/apache struts/2.0.4
- version/apache struts/2.0.5
- version/apache struts/2.0.6
- version/apache struts/2.0.7
- version/apache struts/2.0.8
- version/apache struts/2.0.9
- version/apache struts/2.0.10
- version/apache struts/2.0.11
- version/apache struts/2.0.11.1
- version/apache struts/2.0.11.2
- version/apache struts/2.0.12
- version/apache struts/2.0.13
- version/apache struts/2.0.14
- version/apache struts/2.1.0
- version/apache struts/2.1.1
- version/apache struts/2.1.2
- version/apache struts/2.1.3
- version/apache struts/2.1.4
- version/apache struts/2.1.5
- version/apache struts/2.1.6
- version/apache struts/2.1.8
- version/apache struts/2.1.8.1
- version/apache struts/2.2.1
- version/apache struts/2.2.1.1
- version/apache struts/2.2.3
- version/apache struts/2.2.3.1
- version/apache struts/2.3.1
- version/apache struts/2.3.1.1
- version/apache struts/2.3.1.2
- version/apache struts/2.3.3
- version/apache struts/2.3.4
- version/apache struts/2.3.4.1
- version/apache struts/2.3.7
- version/apache struts/2.3.8
- version/apache struts/2.3.12
- version/apache struts/2.3.14
- version/apache struts/2.3.14.1
- version/apache struts/2.3.14.2
- version/apache struts/2.3.14.3
- version/apache struts/2.3.15
- package-manager/maven
- canonical/apache archiva
- version/apache archiva/1.3
- version/apache archiva/1.2
- version/apache archiva/1.2.2
- vendor/fujitsu
- canonical/fujitsu interstage business process manager analytics
- version/fujitsu interstage business process manager analytics/12.0
- vendor/microsoft
- canonical/microsoft windows server 2003
- canonical/microsoft windows server 2008
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/5.0
- version/redhat enterprise linux/6.10
- version/fujitsu interstage business process manager analytics/12.1
- canonical/microsoft windows server 2012
- vendor/oracle
- canonical/oracle solaris
- version/oracle solaris/11
- canonical/fujitsu gp7000f firmware
- canonical/fujitsu gp7000f
- canonical/fujitsu primepower firmware
- canonical/fujitsu primepower
- canonical/fujitsu gp-s firmware
- canonical/fujitsu gp-s
- canonical/fujitsu primergy firmware
- canonical/fujitsu primergy
- canonical/fujitsu gp5000 firmware
- canonical/fujitsu gp5000
- canonical/fujitsu sparc firmware
- canonical/fujitsu sparc
- canonical/oracle siebel apps - e-billing
- version/oracle siebel apps - e-billing/6.1
- version/oracle siebel apps - e-billing/6.1.1
- version/oracle siebel apps - e-billing/6.2