Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2013-1965Code Injection in Apache Struts

CWE-94Code Injection7 documents7 sources
Severity
9.3CRITICALNVD
EPSS
91.8%
top 0.31%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Apache StrutsApache Struts2-showcase
Timeline
PublishedJul 10
Latest updateMay 14

Description

Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages2 packages

NVDapache/struts2-showcase2.0.02.3.13
NVDapache/struts2.0.02.3.14.1

🔴Vulnerability Details

3
OSV
Improper Control of Generation of Code in Apache Struts2022-05-14
GHSA
Improper Control of Generation of Code in Apache Struts2022-05-14
CVEList
CVE-2013-1965: Apache Struts Showcase App 22013-07-10

💥Exploits & PoCs

1
Nuclei
Apache Struts2 S2-012 RCE

📋Vendor Advisories

1
Red Hat
struts2: remote command execution in Showcase app2013-05-22

💬Community

1
Bugzilla
CVE-2013-1965 struts2: remote command execution in Showcase app2013-05-27
CVE-2013-1965 — Code Injection in Apache Struts | cvebase