Published: 20/07/2013 Updated: 20/10/2020

CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6

VMScore: 936

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Apache Struts 2.0.0 up to and including 2.3.15 allows remote malicious users to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.

Vulnerable Product	Search on Vulmon	Subscribe to Product
apache struts 2.2.3.1
apache struts 2.3.4
apache struts 2.3.14.1
apache struts 2.0.8
apache struts 2.1.2
apache struts 2.0.14
apache struts 2.1.8.1
apache struts 2.2.1.1
apache struts 2.0.1
apache struts 2.0.3
apache struts 2.3.12
apache struts 2.3.1.2
apache struts 2.0.11.1
apache struts 2.3.14.3
apache struts 2.3.15
apache struts 2.2.1
apache struts 2.1.3
apache struts 2.1.0
apache struts 2.1.8
apache struts 2.0.0
apache struts 2.3.1
apache struts 2.3.7
apache struts 2.3.14
apache struts 2.3.3
apache struts 2.0.11
apache struts 2.3.14.2
apache struts 2.0.6
apache struts 2.0.13
apache struts 2.0.12
apache struts 2.2.3
apache struts 2.0.4
apache struts 2.0.2
apache struts 2.0.5
apache struts 2.0.9
apache struts 2.0.11.2
apache struts 2.1.5
apache struts 2.1.4
apache struts 2.1.6
apache struts 2.1.1
apache struts 2.0.7
apache struts 2.0.10
apache struts 2.3.1.1
apache struts 2.3.4.1
apache struts 2.3.8

Apache Struts 200 through 2315 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix ...

Multiple Cisco products include an implementation of the Apache Struts 2 component that is affected by a remote command execution vulnerability The vulnerability is due to insufficient sanitization of user-supplied input An attacker could exploit this vulnerability by sending crafted requests consisting of Object-Graph Navigation Language (OGNL ...

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # Framework web site for more information on licensing and terms of use # metasploitcom/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking ...

Apache Struts 2 DefaultActionMapper Prefixes OGNL remote code execution exploit ...

Struts2 suffers from an OGNL injection vulnerability that allows for redirection Versions 200 through 2315 are affected ...

Apache-Struts-v3 Script contiene la fusión de 3 vulnerabilidades de tipo RCE sobre ApacheStruts, además tiene la capacidad de crear shell servidor SHELL php Funcion Terminada :) jsp Funcion en desarrollo CVE ADD CVE-2013-2251 'action:', 'redirect:' and 'redirectAction' CVE-2017-5638 Content-Type CVE-2018-11776 'redirect:�

Apache-Struts-v3 Script contiene la fusión de 3 vulnerabilidades de tipo RCE sobre ApacheStruts, además tiene la capacidad de crear shell servidor SHELL php terminado jsp proceso CVE ADD CVE-2013-2251 'action:', 'redirect:' and 'redirectAction' CVE-2017-5638 Content-Type CVE-2018-11776 'redirect:' and 'redirectAction

An interactive shell for the s2-016 exploit.

s2-016 This is an interactive shell for the s2-016 exploit Interactive Shell for CVE-2013-2251 The Apache Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression This mechanism was intended to help with attaching nav

Apache-Struts-v3 Script contiene la fusión de 3 vulnerabilidades de tipo RCE sobre ApacheStruts, además tiene la capacidad de crear shell servidor SHELL php Funcion Terminada :) jsp Funcion en desarrollo CVE ADD CVE-2013-2251 'action:', 'redirect:' and 'redirectAction' CVE-2017-5638 Content-Type CVE-2018-11776 'redirect:�

CWE-20 http://struts.apache.org/release/2.3.x/docs/s2-016.html http://www.securitytracker.com/id/1029184 http://osvdb.org/98445 http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2 http://seclists.org/fulldisclosure/2013/Oct/96 http://www.securityfocus.com/bid/64758 http://seclists.org/oss-sec/2014/q1/89 http://cxsecurity.com/issue/WLB-2014010087 http://archiva.apache.org/security.html http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html http://www.securityfocus.com/bid/61189 http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html https://exchange.xforce.ibmcloud.com/vulnerabilities/90392 http://www.securitytracker.com/id/1032916 http://packetstormsecurity.com/files/159629/Apache-Struts-2-Remote-Code-Execution.html https://nvd.nist.gov https://www.exploit-db.com/exploits/27135/https://github.com/fadelmuharam/s2-016 https://access.redhat.com/security/cve/cve-2013-2251 http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2

CVE-2013-2251

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Exploits

Github Repositories

References

Vulmon Search

About

Products

Connect