CVE-2013-2251: Apache Struts Improper Input Validation Vulnerability
First published: Thu Jul 18 2013(Updated: )
Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.struts:struts2-core | <2.3.15.1 | 2.3.15.1 |
| Apache Struts 2 | ||
| Apache Struts 2 | =2.0.0 | |
| Apache Struts 2 | =2.0.1 | |
| Apache Struts 2 | =2.0.2 | |
| Apache Struts 2 | =2.0.3 | |
| Apache Struts 2 | =2.0.4 | |
| Apache Struts 2 | =2.0.5 | |
| Apache Struts 2 | =2.0.6 | |
| Apache Struts 2 | =2.0.7 | |
| Apache Struts 2 | =2.0.8 | |
| Apache Struts 2 | =2.0.9 | |
| Apache Struts 2 | =2.0.10 | |
| Apache Struts 2 | =2.0.11 | |
| Apache Struts 2 | =2.0.11.1 | |
| Apache Struts 2 | =2.0.11.2 | |
| Apache Struts 2 | =2.0.12 | |
| Apache Struts 2 | =2.0.13 | |
| Apache Struts 2 | =2.0.14 | |
| Apache Struts 2 | =2.1.0 | |
| Apache Struts 2 | =2.1.1 | |
| Apache Struts 2 | =2.1.2 | |
| Apache Struts 2 | =2.1.3 | |
| Apache Struts 2 | =2.1.4 | |
| Apache Struts 2 | =2.1.5 | |
| Apache Struts 2 | =2.1.6 | |
| Apache Struts 2 | =2.1.8 | |
| Apache Struts 2 | =2.1.8.1 | |
| Apache Struts 2 | =2.2.1 | |
| Apache Struts 2 | =2.2.1.1 | |
| Apache Struts 2 | =2.2.3 | |
| Apache Struts 2 | =2.2.3.1 | |
| Apache Struts 2 | =2.3.1 | |
| Apache Struts 2 | =2.3.1.1 | |
| Apache Struts 2 | =2.3.1.2 | |
| Apache Struts 2 | =2.3.3 | |
| Apache Struts 2 | =2.3.4 | |
| Apache Struts 2 | =2.3.4.1 | |
| Apache Struts 2 | =2.3.7 | |
| Apache Struts 2 | =2.3.8 | |
| Apache Struts 2 | =2.3.12 | |
| Apache Struts 2 | =2.3.14 | |
| Apache Struts 2 | =2.3.14.1 | |
| Apache Struts 2 | =2.3.14.2 | |
| Apache Struts 2 | =2.3.14.3 | |
| Apache Struts 2 | =2.3.15 | |
| Apache Archiva | >=1.3<1.3.8 | |
| Apache Archiva | =1.2 | |
| Apache Archiva | =1.2.2 | |
| Apache Struts 2 | >=2.0.0<=2.3.15 | |
| All of | ||
| Fujitsu Interstage Business Process Manager Analytics | =12.0 | |
| Any of | ||
| Microsoft Windows Server 2003 | ||
| Microsoft Windows Server 2008 Itanium | ||
| Red Hat Enterprise Linux | >=5.0<=6.10 | |
| All of | ||
| Fujitsu Interstage Business Process Manager Analytics | =12.1 | |
| Any of | ||
| Microsoft Windows Server 2003 | ||
| Microsoft Windows Server 2008 Itanium | ||
| Microsoft Windows Server 2012 x64 | ||
| Oracle Solaris SPARC | =11 | |
| Red Hat Enterprise Linux | >=5.0<=6.10 | |
| All of | ||
| Fujitsu gp7000f | ||
| Fujitsu GP7000F | ||
| All of | ||
| Fujitsu PrimePower Firmware | ||
| Fujitsu PrimePower | ||
| All of | ||
| Fujitsu GP-S | ||
| Fujitsu GP-S Firmware | ||
| All of | ||
| Fujitsu Primergy Firmware | ||
| Fujitsu PRIMERGY | ||
| All of | ||
| Fujitsu GranPower 5000 | ||
| Fujitsu GP5000 Firmware | ||
| All of | ||
| Fujitsu SPARC Firmware | ||
| Fujitsu SPARC | ||
| Oracle Siebel E-Billing | =6.1 | |
| Oracle Siebel E-Billing | =6.1.1 | |
| Oracle Siebel E-Billing | =6.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2013-2251
- https://exchange.xforce.ibmcloud.com/vulnerabilities/90392
- http://archiva.apache.org/security.html
- http://cxsecurity.com/issue/WLB-2014010087
- http://packetstormsecurity.com/files/159629/Apache-Struts-2-Remote-Code-Execution.html
- http://seclists.org/fulldisclosure/2013/Oct/96
- http://seclists.org/oss-sec/2014/q1/89
- http://struts.apache.org/release/2.3.x/docs/s2-016.html
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2
- http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html
- https://github.com/apache/struts/commit/3cfe34fefedcf0fdcfcb061c0aea34a715b7de6
- https://github.com/apache/struts/commit/630e1ba065a8215c4e9ac03bfb09be9d655c2b6e
- https://issues.apache.org/jira/browse/WW-4140
- https://github.com/advisories/GHSA-47qp-8v9g-39hp (Advisory)
- http://osvdb.org/98445
- http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
- http://www.securityfocus.com/bid/61189
- http://www.securityfocus.com/bid/64758
- http://www.securitytracker.com/id/1029184
- http://www.securitytracker.com/id/1032916
Frequently Asked Questions
What is the severity of CVE-2013-2251?
CVE-2013-2251 is classified as a critical vulnerability due to its potential for remote code execution through crafted input.
How can I mitigate CVE-2013-2251?
To mitigate CVE-2013-2251, ensure that you update to Apache Struts version 2.3.15.1 or later.
What versions of Apache Struts are affected by CVE-2013-2251?
CVE-2013-2251 affects Apache Struts versions from 2.0.0 to 2.3.15.
What types of attacks can CVE-2013-2251 enable?
CVE-2013-2251 can enable remote attackers to execute arbitrary OGNL expressions, potentially leading to full system compromise.
Is there a patch available for CVE-2013-2251?
Yes, a patch is available by upgrading to Apache Struts version 2.3.15.1 or newer.
- collector/github-advisory-latest
- alias/GHSA-47qp-8v9g-39hp
- alias/CVE-2013-2251
- collector/github-advisory
- agent/type
- agent/title
- agent/references
- agent/weakness
- agent/remedy
- agent/author
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- collector/nvd-cve
- package-manager/maven
- vendor/apache
- canonical/apache struts 2
- version/apache struts 2/2.0.0
- version/apache struts 2/2.0.1
- version/apache struts 2/2.0.2
- version/apache struts 2/2.0.3
- version/apache struts 2/2.0.4
- version/apache struts 2/2.0.5
- version/apache struts 2/2.0.6
- version/apache struts 2/2.0.7
- version/apache struts 2/2.0.8
- version/apache struts 2/2.0.9
- version/apache struts 2/2.0.10
- version/apache struts 2/2.0.11
- version/apache struts 2/2.0.11.1
- version/apache struts 2/2.0.11.2
- version/apache struts 2/2.0.12
- version/apache struts 2/2.0.13
- version/apache struts 2/2.0.14
- version/apache struts 2/2.1.0
- version/apache struts 2/2.1.1
- version/apache struts 2/2.1.2
- version/apache struts 2/2.1.3
- version/apache struts 2/2.1.4
- version/apache struts 2/2.1.5
- version/apache struts 2/2.1.6
- version/apache struts 2/2.1.8
- version/apache struts 2/2.1.8.1
- version/apache struts 2/2.2.1
- version/apache struts 2/2.2.1.1
- version/apache struts 2/2.2.3
- version/apache struts 2/2.2.3.1
- version/apache struts 2/2.3.1
- version/apache struts 2/2.3.1.1
- version/apache struts 2/2.3.1.2
- version/apache struts 2/2.3.3
- version/apache struts 2/2.3.4
- version/apache struts 2/2.3.4.1
- version/apache struts 2/2.3.7
- version/apache struts 2/2.3.8
- version/apache struts 2/2.3.12
- version/apache struts 2/2.3.14
- version/apache struts 2/2.3.14.1
- version/apache struts 2/2.3.14.2
- version/apache struts 2/2.3.14.3
- version/apache struts 2/2.3.15
- canonical/apache archiva
- version/apache archiva/1.3
- version/apache archiva/1.2
- version/apache archiva/1.2.2
- vendor/fujitsu
- canonical/fujitsu interstage business process manager analytics
- version/fujitsu interstage business process manager analytics/12.0
- vendor/microsoft
- canonical/microsoft windows server 2003
- canonical/microsoft windows server 2008 itanium
- vendor/redhat
- canonical/red hat enterprise linux
- version/red hat enterprise linux/5.0
- version/red hat enterprise linux/6.10
- version/fujitsu interstage business process manager analytics/12.1
- canonical/microsoft windows server 2012 x64
- vendor/oracle
- canonical/oracle solaris sparc
- version/oracle solaris sparc/11
- canonical/fujitsu gp7000f
- canonical/fujitsu primepower firmware
- canonical/fujitsu primepower
- canonical/fujitsu gp-s
- canonical/fujitsu gp-s firmware
- canonical/fujitsu primergy firmware
- canonical/fujitsu primergy
- canonical/fujitsu granpower 5000
- canonical/fujitsu gp5000 firmware
- canonical/fujitsu sparc firmware
- canonical/fujitsu sparc
- canonical/oracle siebel e-billing
- version/oracle siebel e-billing/6.1
- version/oracle siebel e-billing/6.1.1
- version/oracle siebel e-billing/6.2