Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2013-1966Code Injection in Apache Struts

CWE-94Code Injection8 documents7 sources
Severity
9.3CRITICALNVD
EPSS
91.1%
top 0.36%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Apache Struts
Timeline
PublishedJul 10
Latest updateMay 14

Description

Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages1 packages

NVDapache/struts2.0.02.3.14.1

🔴Vulnerability Details

3
OSV
Arbitrary code execution in Apache Struts2022-05-14
GHSA
Arbitrary code execution in Apache Struts2022-05-14
CVEList
CVE-2013-1966: Apache Struts 2 before 22013-07-10

💥Exploits & PoCs

1
Exploit-DB
Apache Struts - includeParams Remote Code Execution (Metasploit)2013-06-05

📋Vendor Advisories

2
Red Hat
struts2: remote command execution due to flaw in the includeParams attribute of URL and Anchor tags2013-05-22
Red Hat
struts2: remote command execution due to flaw in the includeParams attribute of URL and Anchor tags2013-05-22

💬Community

1
Bugzilla
CVE-2013-1966 struts2: remote command execution due to flaw in the includeParams attribute of URL and Anchor tags2013-05-27
CVE-2013-1966 — Code Injection in Apache Struts | cvebase