Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2013-2115 — Code Injection in Apache Struts

CWE-94 — Code Injection6 documents6 sources

Severity

8.1HIGHNVD

CNA9.3

EPSS

87.6%

top 0.53%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Apache Struts

Timeline

PublishedJul 10

Latest updateMay 13

Description

Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages1 packages

▶NVDapache/struts2.0.0 — 2.3.14.1

🔴Vulnerability Details

OSV

Code injection in Apache Struts↗2022-05-13

▶

GHSA

Code injection in Apache Struts↗2022-05-13

▶

CVEList

CVE-2013-2115: Apache Struts 2 before 2↗2013-07-10

▶

💥Exploits & PoCs

Exploit-DB

Apache Struts - includeParams Remote Code Execution (Metasploit)↗2013-06-05

▶

📋Vendor Advisories

Red Hat

struts2: remote command execution due to flaw in the includeParams attribute of URL and Anchor tags↗2013-05-22

▶