cbcvebase.
CVE-2013-2115
published 2013-07-10

CVE-2013-2115: Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the…

PriorityP273high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
72.78%
99.4th percentile
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966.

Affected

1 ranges
VendorProductVersion rangeFixed in
apachestruts2.0.0 – 2.3.14.1

Detection & IOCsextracted from sources · hover to see the quote

url/struts2-blank/example/HelloWorld.action
port8080
command${#_memberAccess["allowStaticMethodAccess"]=true,CMD}
command@java.lang.Thread@sleep(#{sleep_time * 1000})
command@java.lang.Runtime@getRuntime().exec("/bin/sh_-c_chmod +x #{@payload_exe}".split("_"))
  • Detect OGNL injection via the includeParams attribute: look for crafted HTTP GET or POST parameters containing OGNL expressions (e.g. patterns starting with '${' or '#_memberAccess') targeting Struts URL or A tag actions.
  • Monitor HTTP requests (GET and POST) to Struts .action endpoints for parameter values containing OGNL static method access patterns such as '#_memberAccess["allowStaticMethodAccess"]=true'.
  • Alert on HTTP requests to Struts action endpoints where any parameter value contains '@java.lang.Runtime@getRuntime().exec' or '@java.lang.Thread@sleep', indicating OGNL-based RCE or timing-based check attempts.
  • When targeting GET-based actions, the OGNL payload may be split across multiple parameters due to URI length limits — correlate fragmented suspicious parameters in the same request.
  • Watch for file writes to /tmp/ followed by chmod and execution commands, which indicate successful Linux-platform exploitation via the Java Runtime exec OGNL payload.
  • The exploit uses Base64-encoded payloads decoded via 'sun.misc.BASE64Decoder' written to disk; detect HTTP parameters containing large Base64 blobs alongside OGNL FileOutputStream patterns.
  • ·CVE-2013-2115 is specifically the result of an incomplete fix for CVE-2013-1966 in Struts 2.3.14.1; only Struts 2.3.14.1 (and earlier unfixed versions) are vulnerable — 2.3.14.2 fully resolves both CVEs.
  • ·The exploit supports GET and POST HTTP methods; detection rules must cover both, as the PARAMETER used for injection is arbitrary and does not need to be an expected application parameter.
  • ·The vulnerability is triggered only when the includeParams attribute is set to 'get' or 'all' in URL/A tags, causing a second OGNL evaluation of request parameters.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.