CVE-2013-1966
published 2013-07-10CVE-2013-1966: Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the…
PriorityP275critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
71.77%
99.3th percentile
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | struts | >= 2.0.0 < 2.3.14.1 | 2.3.14.1 |
| apache | struts | 2.0.0 – 2.3.14.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect OGNL injection attempts in HTTP request parameters targeting the includeParams attribute of URL/A tags; look for OGNL expressions such as ${...} or %{...} containing #_memberAccess or @java.lang.Runtime@ in any request parameter value. ↗
- →Flag HTTP requests (GET or POST) to .action endpoints containing the string allowStaticMethodAccess in any parameter value, as this is the OGNL bypass pattern used by the exploit. ↗
- →Monitor for exploitation of the default target path /struts2-blank/example/HelloWorld.action on port 8080, which is the default used by the Metasploit module for this CVE. ↗
- →Detect time-based blind exploitation attempts: the check function sends an OGNL payload invoking @java.lang.Thread@sleep() and measures response delay; anomalous response latency on .action endpoints combined with OGNL syntax in parameters is a strong indicator. ↗
- →Alert on file writes to /tmp/ followed by chmod and execution via Runtime.exec from a Java web application process, which is the Linux payload delivery chain used by the exploit. ↗
- →The exploit supports both GET and POST methods; ensure WAF/IDS rules inspect both HTTP methods for OGNL injection patterns in parameter values, not just POST bodies. ↗
- ·When exploiting via GET, the OGNL payload may be split across multiple parameters due to URI length limits, which can cause payload corruption if the rendered JSP has more than one injection point. ↗
- ·CVE-2013-1966 affects Struts 2.0.0 through 2.3.14; the fix in 2.3.14.1 was incomplete (tracked as CVE-2013-2115) and the vulnerability is only fully corrected in 2.3.14.2. ↗
- ·The exploit parameter name is randomized by default (rand_text_alpha_lower(4)), meaning signature-based detection on a fixed parameter name will not reliably catch all exploitation attempts. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
struts2: remote command execution due to flaw in the includeParams attribute of URL and Anchor tags
vendor_redhat·2013-05-22·CVSS 9.3
CVE-2013-1966 [CRITICAL] struts2: remote command execution due to flaw in the includeParams attribute of URL and Anchor tags
struts2: remote command execution due to flaw in the includeParams attribute of URL and Anchor tags
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.
Statement: A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While Struts 2 is not actively compiled, shipped, used, or enabled in any Red Hat provided final products, and does not cause any vulnerability in the product, struts2-core jars have been included in some products' source code packages. The inclusion was part of an import of the Google Guice reposito
Red Hat
struts2: remote command execution due to flaw in the includeParams attribute of URL and Anchor tags
vendor_redhat·2013-05-22·CVSS 9.3
CVE-2013-2115 [CRITICAL] struts2: remote command execution due to flaw in the includeParams attribute of URL and Anchor tags
struts2: remote command execution due to flaw in the includeParams attribute of URL and Anchor tags
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966.
Statement: A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While Struts 2 is not actively compiled, shipped, used, or enabled in any Red Hat provided final products, and does not cause any vulnerability in the product, struts2-core jars have been included in some products' source code packages.
OSV
Arbitrary code execution in Apache Struts
osv·2022-05-14
CVE-2013-1966 [HIGH] Arbitrary code execution in Apache Struts
Arbitrary code execution in Apache Struts
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.
GHSA
Arbitrary code execution in Apache Struts
ghsa·2022-05-14
CVE-2013-1966 [HIGH] CWE-94 Arbitrary code execution in Apache Struts
Arbitrary code execution in Apache Struts
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.
No detection rules found.
Exploit-DB
Apache Struts - includeParams Remote Code Execution (Metasploit)
exploitdb·2013-06-05
CVE-2013-2115 Apache Struts - includeParams Remote Code Execution (Metasploit)
Apache Struts - includeParams Remote Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Apache Struts includeParams Remote Code Execution',
'Description' => %q{
This module exploits a remote command execution vulnerability in Apache Struts
versions
[
# This vulnerability was also discovered by unknown members of:
# 'Coverity security Research Laboratory'
# 'NSFOCUS Security Team'
'Eric Kobrin', # Vulnerability Discovery
'Douglas Rodrigues', # Vulnerability Discovery
'Richard Hicks ' # Metasploit Module
],
'License' => MSF_LICENSE,
'Ref
Metasploit
Apache Struts includeParams Remote Code Execution
metasploit
Apache Struts includeParams Remote Code Execution
Apache Struts includeParams Remote Code Execution
This module exploits a remote command execution vulnerability in Apache Struts versions < 2.3.14.2. A specifically crafted request parameter can be used to inject arbitrary OGNL code into the stack bypassing Struts and OGNL library protections. When targeting an action which requires interaction through GET, the payload should be split, taking into account the URI limits. In this case, if the rendered JSP has more than one point of injection, it could result in payload corruption. This should happen only when the payload is larger than the URI length.
http://struts.apache.org/development/2.x/docs/s2-013.htmlhttp://www.securityfocus.com/bid/60166https://bugzilla.redhat.com/show_bug.cgi?id=967656https://cwiki.apache.org/confluence/display/WW/S2-013http://struts.apache.org/development/2.x/docs/s2-013.htmlhttp://www.securityfocus.com/bid/60166https://bugzilla.redhat.com/show_bug.cgi?id=967656https://cwiki.apache.org/confluence/display/WW/S2-013
2013-07-10
Published