10
CVSSv2

CVE-2013-4316

Published: 30/09/2013 Updated: 07/12/2016
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
VMScore: 890
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

Apache Struts 2.0.0 up to and including 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.

Affected Products

Vendor Product Versions
ApacheStruts2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.11.1, 2.0.11.2, 2.0.12, 2.0.13, 2.0.14, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.8, 2.1.8.1, 2.2.1, 2.2.1.1, 2.2.3, 2.2.3.1, 2.3.1, 2.3.1.1, 2.3.1.2, 2.3.3, 2.3.4, 2.3.4.1, 2.3.7, 2.3.8, 2.3.12, 2.3.14, 2.3.14.1, 2.3.14.2, 2.3.14.3, 2.3.15, 2.3.15.1
OracleFlexcube Private Banking1.7, 2.0, 2.0.1, 2.2.0.1, 3.0, 12.0.1, 12.0.2
OracleMysql Enterprise Monitor2.3.14, 3.0.4
OracleWebcenter Sites11.1.1.6.1, 11.1.1.8.0

Vendor Advisories

Apache Struts 200 through 23151 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors ...

Github Repositories

环境 Requires Java 18+ and Maven 3x+ 使用方法 1下载 git clone gitoschinanet/0d/Struts2_bugsgit 2查看远程分支 git branch -a 3切换到分支 git checkout 分支名 如git checkout S2-046 4打包 mvn clean package 5部署在Tomcat中 将\target中生成的Struts2-046war复制到Tomcat下的webapps目录中,然后开启Tomcat 访问12700

Recent Articles

Apache Upgrade Repairs Struts, Fixes Two Vulnerabilities
Threatpost • Chris Brook • 23 Sep 2013

Developers behind the Apache Struts framework have released an update that fixes two vulnerabilities.
Creators of the open-source web application framework are encouraging users to upgrade to Struts 2.3.15.2 immediately.
One of the fixes addresses an issue (CVE-2013-4316) in the Dynamic Method Invocation (DMI) feature that was previously thought to break users’ applications if relied on too heavily. It was previously enabled by default and flashed a warning that users should switch...