cbcvebase.
CVE-2013-2134
published 2013-07-16

CVE-2013-2134: Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled…

PriorityP180critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
70.21%
99.3th percentile
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.

Affected

1 ranges
VendorProductVersion rangeFixed in
apachestruts>= 2.0.0 < 2.3.14.32.3.14.3

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://www.example.com/example/%24%7B%23foo%3D%27Menu%27%2C%23foo%7D
urlhttp://www.example.com/example/${#foo='Menu',#foo}
  • Detect OGNL expression injection via crafted action name in URL path — look for URL-encoded or raw OGNL expressions (e.g., ${...} or %24%7B...%7D) embedded in the action name segment of HTTP requests to Struts 2 applications.
  • Flag HTTP requests where the action name portion of the URL contains OGNL wildcard-matching payloads; the vulnerability is triggered during wildcard matching of crafted action names.
  • Search for struts2*.jar files in build artifacts from Fuse Service Works 6.0.0 and Single Sign On 7.3.0+ source packages, as these may contain vulnerable struts2-core jars.
  • ·Affects Apache Struts 2.0.0 through 2.3.14.3; patch to 2.3.14.3 or later to remediate.
  • ·This is a distinct vulnerability from CVE-2013-2135, though both involve OGNL injection in Struts 2 wildcard matching.
  • ·Red Hat products (Fuse Service Works 6.0.0, Single Sign On 7.3.0+) included struts2-core in source jars via google-guice import; no runtime functionality uses it, but customers building from source may be at risk.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
ghsa9.3CRITICAL
osv9.3CRITICAL
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.