CVE-2013-2135
published 2013-07-16CVE-2013-2135: Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}"…
PriorityP258critical9.3CVSS 2.0
AVNACMAuNCCICAC
EPSS
13.83%
96.1th percentile
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | struts | >= 2.0.0 < 2.3.14.3 | 2.3.14.3 |
Detection & IOCsextracted from sources · hover to see the quote
other${...%{...}
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL in Dynamic Action"; flow:established,to_server; http.uri; content:"/${"; fast_pattern; pcre:"/\/\$\{[^\}\x2c]+?=/"; reference:cve,2013-2135; reference:bugtraq,60345; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; classtype:attempted-user; sid:2017277; rev:6; metadata:created_at 2013_08_06, cve CVE_2013_2135, confidence Medium, signature_severity Major, updated_at 2020_09_19;)bytes
|24 7b| ... |25 7b| ... |7d|
- →Look for HTTP URIs containing '/${' followed by an OGNL expression with an assignment operator (e.g., /${<expr>=}), indicative of dynamic action OGNL injection.
- →The vulnerability is triggered via a crafted request value containing both '${...}' and '%{...}' sequences causing double OGNL evaluation; monitor HTTP request URIs and bodies for this combined pattern.
- ·The vulnerability affects Apache Struts 2 versions before 2.3.14.3 only; patched versions are not affected. ↗
- ·Struts 2 is not actively compiled, shipped, used, or enabled in Red Hat final products, but struts2-core jars were included in source packages for Fuse Service Works 6.0.0 and Single Sign On 7.3.0+; customers who built artifacts from those sources may be at risk. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
ghsa9.3CRITICAL
osv9.3CRITICAL
vulncheck9.3CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Arbitrary code execution in Apache Struts 2
osv·2022-05-14
CVE-2013-2135 [HIGH] Arbitrary code execution in Apache Struts 2
Arbitrary code execution in Apache Struts 2
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice.
OSV
Arbitrary code execution in Apache Struts 2
osv·2022-05-14·CVSS 9.3
CVE-2013-2134 [CRITICAL] Arbitrary code execution in Apache Struts 2
Arbitrary code execution in Apache Struts 2
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.
GHSA
Arbitrary code execution in Apache Struts 2
ghsa·2022-05-14
CVE-2013-2135 [HIGH] CWE-94 Arbitrary code execution in Apache Struts 2
Arbitrary code execution in Apache Struts 2
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice.
GHSA
Arbitrary code execution in Apache Struts 2
ghsa·2022-05-14·CVSS 9.3
CVE-2013-2134 [CRITICAL] CWE-94 Arbitrary code execution in Apache Struts 2
Arbitrary code execution in Apache Struts 2
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.
VulnCheck
Apache Struts Improper Control of Generation of Code ('Code Injection')
vulncheck·2013·CVSS 9.3
CVE-2013-2134 [CRITICAL] Apache Struts Improper Control of Generation of Code ('Code Injection')
Apache Struts Improper Control of Generation of Code ('Code Injection')
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.
Affected: Apache Struts
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2013-2134&date=2025-10-13; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2013-2134&date=2025-10-14; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2013-2134&date=2025-10-15; https://api.vulncheck.c
Suricata
ET WEB_SERVER Possible Apache Struts OGNL Expression Injection
suricata·2016-11-18
CVE-2013-2135 ET WEB_SERVER Possible Apache Struts OGNL Expression Injection
ET WEB_SERVER Possible Apache Struts OGNL Expression Injection
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Expression Injection"; flow:established,to_server; http.uri; content:"|24 7b|"; content:"|25 7b|"; distance:0; content:"|7d|"; distance:0; pcre:"/\${\s*?%{/"; reference:cve,2013-2135; reference:bugtraq,60345; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; classtype:web-application-attack; sid:2023535; rev:4; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2016_11_18, cve CVE_2013_2135, deployment Datacenter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2024_03_07;)
Suricata
ET WEB_SERVER Possible Apache Struts OGNL in Dynamic Action
suricata·2013-08-06
CVE-2013-2135 ET WEB_SERVER Possible Apache Struts OGNL in Dynamic Action
ET WEB_SERVER Possible Apache Struts OGNL in Dynamic Action
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL in Dynamic Action"; flow:established,to_server; http.uri; content:"/${"; fast_pattern; pcre:"/\/\$\{[^\}\x2c]+?=/"; reference:cve,2013-2135; reference:bugtraq,60345; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; classtype:attempted-user; sid:2017277; rev:6; metadata:created_at 2013_08_06, cve CVE_2013_2135, confidence Medium, signature_severity Major, updated_at 2020_09_19;)
No public exploits indexed.
Bugzilla
CVE-2013-2135 Apache Struts 2 arbitrary OGNL code execution via double evaluation
bugzilla·2013-07-16·CVSS 9.3
CVE-2013-2135 [CRITICAL] CVE-2013-2135 Apache Struts 2 arbitrary OGNL code execution via double evaluation
CVE-2013-2135 Apache Struts 2 arbitrary OGNL code execution via double evaluation
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-2135 to
the following vulnerability:
Name: CVE-2013-2135
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2135
Assigned: 20130219
Reference: https://cwiki.apache.org/confluence/display/WW/S2-015
Reference: http://struts.apache.org/development/2.x/docs/s2-015.html
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute
arbitrary OGNL code via a request with a crafted value that contains
both "${}" and "%{}" sequences, which causes the OGNL code to be
evaluated twice.
Discussion:
Upstream bug: https://issues.apache.org/jira/browse/WW-4090
Upstream commit: https://svn.apache.org/viewvc?view=revision&revision=r1490149
Bugzilla
CVE-2013-2134 Apache Struts 2 arbitrary OGNL code execution via unsanitized wildcard matching
bugzilla·2013-07-16·CVSS 9.3
CVE-2013-2134 [CRITICAL] CVE-2013-2134 Apache Struts 2 arbitrary OGNL code execution via unsanitized wildcard matching
CVE-2013-2134 Apache Struts 2 arbitrary OGNL code execution via unsanitized wildcard matching
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-2134 to
the following vulnerability:
Name: CVE-2013-2134
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2134
Assigned: 20130219
Reference: https://cwiki.apache.org/confluence/display/WW/S2-015
Reference: http://struts.apache.org/development/2.x/docs/s2-015.html
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute
arbitrary OGNL code via a request with a crafted action name that is
not properly handled during wildcard matching, a different
vulnerability than CVE-2013-2135.
Discussion:
Upstream bug: https://issues.apache.org/jira/browse/WW-4090
Upstream commit: https://svn.apache.org/viewvc?view=revi
http://struts.apache.org/development/2.x/docs/s2-015.htmlhttp://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.htmlhttp://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.htmlhttp://www.securityfocus.com/bid/64758https://cwiki.apache.org/confluence/display/WW/S2-015http://struts.apache.org/development/2.x/docs/s2-015.htmlhttp://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.htmlhttp://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.htmlhttp://www.securityfocus.com/bid/64758https://cwiki.apache.org/confluence/display/WW/S2-015
2013-07-16
Published