CVE-2013-2115
published 2013-07-10CVE-2013-2115: Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the…
PriorityP273high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
72.78%
99.4th percentile
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | struts | 2.0.0 – 2.3.14.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect OGNL injection via the includeParams attribute: look for crafted HTTP GET or POST parameters containing OGNL expressions (e.g. patterns starting with '${' or '#_memberAccess') targeting Struts URL or A tag actions. ↗
- →Monitor HTTP requests (GET and POST) to Struts .action endpoints for parameter values containing OGNL static method access patterns such as '#_memberAccess["allowStaticMethodAccess"]=true'. ↗
- →Alert on HTTP requests to Struts action endpoints where any parameter value contains '@java.lang.Runtime@getRuntime().exec' or '@java.lang.Thread@sleep', indicating OGNL-based RCE or timing-based check attempts. ↗
- →When targeting GET-based actions, the OGNL payload may be split across multiple parameters due to URI length limits — correlate fragmented suspicious parameters in the same request. ↗
- →Watch for file writes to /tmp/ followed by chmod and execution commands, which indicate successful Linux-platform exploitation via the Java Runtime exec OGNL payload. ↗
- →The exploit uses Base64-encoded payloads decoded via 'sun.misc.BASE64Decoder' written to disk; detect HTTP parameters containing large Base64 blobs alongside OGNL FileOutputStream patterns. ↗
- ·CVE-2013-2115 is specifically the result of an incomplete fix for CVE-2013-1966 in Struts 2.3.14.1; only Struts 2.3.14.1 (and earlier unfixed versions) are vulnerable — 2.3.14.2 fully resolves both CVEs. ↗
- ·The exploit supports GET and POST HTTP methods; detection rules must cover both, as the PARAMETER used for injection is arbitrary and does not need to be an expected application parameter. ↗
- ·The vulnerability is triggered only when the includeParams attribute is set to 'get' or 'all' in URL/A tags, causing a second OGNL evaluation of request parameters. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
struts2: remote command execution due to flaw in the includeParams attribute of URL and Anchor tags
vendor_redhat·2013-05-22·CVSS 9.3
CVE-2013-2115 [CRITICAL] struts2: remote command execution due to flaw in the includeParams attribute of URL and Anchor tags
struts2: remote command execution due to flaw in the includeParams attribute of URL and Anchor tags
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966.
Statement: A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While Struts 2 is not actively compiled, shipped, used, or enabled in any Red Hat provided final products, and does not cause any vulnerability in the product, struts2-core jars have been included in some products' source code packages.
OSV
Code injection in Apache Struts
osv·2022-05-13
CVE-2013-2115 [HIGH] Code injection in Apache Struts
Code injection in Apache Struts
A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks.
both the s:url and s:a tag provide an includeParams attribute.
The main scope of that attribute is to understand whether includes http request parameter or not.
The allowed values of includeParams are:
none - include no parameters in the URL (default)
get - include only GET parameters in the URL
all - include both GET and POST parameters in the URL
A request that included a specially crafted request parameter could be used to inject arbitrary OGNL code into the stack, afterward used as request parameter of an URL or A tag , which will cause a further evaluation.
The second evaluation happ
GHSA
Code injection in Apache Struts
ghsa·2022-05-13
CVE-2013-2115 [HIGH] CWE-94 Code injection in Apache Struts
Code injection in Apache Struts
A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks.
both the s:url and s:a tag provide an includeParams attribute.
The main scope of that attribute is to understand whether includes http request parameter or not.
The allowed values of includeParams are:
none - include no parameters in the URL (default)
get - include only GET parameters in the URL
all - include both GET and POST parameters in the URL
A request that included a specially crafted request parameter could be used to inject arbitrary OGNL code into the stack, afterward used as request parameter of an URL or A tag , which will cause a further evaluation.
The second evaluation happ
No detection rules found.
Exploit-DB
Apache Struts - includeParams Remote Code Execution (Metasploit)
exploitdb·2013-06-05
CVE-2013-2115 Apache Struts - includeParams Remote Code Execution (Metasploit)
Apache Struts - includeParams Remote Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Apache Struts includeParams Remote Code Execution',
'Description' => %q{
This module exploits a remote command execution vulnerability in Apache Struts
versions
[
# This vulnerability was also discovered by unknown members of:
# 'Coverity security Research Laboratory'
# 'NSFOCUS Security Team'
'Eric Kobrin', # Vulnerability Discovery
'Douglas Rodrigues', # Vulnerability Discovery
'Richard Hicks ' # Metasploit Module
],
'License' => MSF_LICENSE,
'Ref
Metasploit
Apache Struts includeParams Remote Code Execution
metasploit
Apache Struts includeParams Remote Code Execution
Apache Struts includeParams Remote Code Execution
This module exploits a remote command execution vulnerability in Apache Struts versions < 2.3.14.2. A specifically crafted request parameter can be used to inject arbitrary OGNL code into the stack bypassing Struts and OGNL library protections. When targeting an action which requires interaction through GET, the payload should be split, taking into account the URI limits. In this case, if the rendered JSP has more than one point of injection, it could result in payload corruption. This should happen only when the payload is larger than the URI length.
http://struts.apache.org/development/2.x/docs/s2-014.htmlhttp://www.securityfocus.com/bid/60167https://bugzilla.redhat.com/show_bug.cgi?id=967656https://cwiki.apache.org/confluence/display/WW/S2-014http://struts.apache.org/development/2.x/docs/s2-014.htmlhttp://www.securityfocus.com/bid/60167https://bugzilla.redhat.com/show_bug.cgi?id=967656https://cwiki.apache.org/confluence/display/WW/S2-014
2013-07-10
Published