cbcvebase.
CVE-2013-1966
published 2013-07-10

CVE-2013-1966: Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the…

PriorityP275critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
71.77%
99.3th percentile
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.

Affected

2 ranges
VendorProductVersion rangeFixed in
apachestruts>= 2.0.0 < 2.3.14.12.3.14.1
apachestruts2.0.0 – 2.3.14.1

Detection & IOCsextracted from sources · hover to see the quote

port8080
path/struts2-blank/example/HelloWorld.action
command${#_memberAccess["allowStaticMethodAccess"]=true,CMD}
command@java.lang.Thread@sleep(${sleep_time * 1000})
command@java.lang.Runtime@getRuntime().exec("/bin/sh_-c_chmod +x #{@payload_exe}".split("_"))
  • Detect OGNL injection attempts in HTTP request parameters targeting the includeParams attribute of URL/A tags; look for OGNL expressions such as ${...} or %{...} containing #_memberAccess or @java.lang.Runtime@ in any request parameter value.
  • Flag HTTP requests (GET or POST) to .action endpoints containing the string allowStaticMethodAccess in any parameter value, as this is the OGNL bypass pattern used by the exploit.
  • Monitor for exploitation of the default target path /struts2-blank/example/HelloWorld.action on port 8080, which is the default used by the Metasploit module for this CVE.
  • Detect time-based blind exploitation attempts: the check function sends an OGNL payload invoking @java.lang.Thread@sleep() and measures response delay; anomalous response latency on .action endpoints combined with OGNL syntax in parameters is a strong indicator.
  • Alert on file writes to /tmp/ followed by chmod and execution via Runtime.exec from a Java web application process, which is the Linux payload delivery chain used by the exploit.
  • The exploit supports both GET and POST methods; ensure WAF/IDS rules inspect both HTTP methods for OGNL injection patterns in parameter values, not just POST bodies.
  • ·When exploiting via GET, the OGNL payload may be split across multiple parameters due to URI length limits, which can cause payload corruption if the rendered JSP has more than one injection point.
  • ·CVE-2013-1966 affects Struts 2.0.0 through 2.3.14; the fix in 2.3.14.1 was incomplete (tracked as CVE-2013-2115) and the vulnerability is only fully corrected in 2.3.14.2.
  • ·The exploit parameter name is randomized by default (rand_text_alpha_lower(4)), meaning signature-based detection on a fixed parameter name will not reliably catch all exploitation attempts.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.