cbcvebase.
CVE-2013-2135
published 2013-07-16

CVE-2013-2135: Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}"…

PriorityP258critical9.3CVSS 2.0
AVNACMAuNCCICAC
EPSS
13.83%
96.1th percentile
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice.

Affected

1 ranges
VendorProductVersion rangeFixed in
apachestruts>= 2.0.0 < 2.3.14.32.3.14.3

Detection & IOCsextracted from sources · hover to see the quote

other${...%{...}
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL in Dynamic Action"; flow:established,to_server; http.uri; content:"/${"; fast_pattern; pcre:"/\/\$\{[^\}\x2c]+?=/"; reference:cve,2013-2135; reference:bugtraq,60345; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; classtype:attempted-user; sid:2017277; rev:6; metadata:created_at 2013_08_06, cve CVE_2013_2135, confidence Medium, signature_severity Major, updated_at 2020_09_19;)
bytes
|24 7b| ... |25 7b| ... |7d|
  • Look for HTTP URIs containing '/${' followed by an OGNL expression with an assignment operator (e.g., /${<expr>=}), indicative of dynamic action OGNL injection.
  • The vulnerability is triggered via a crafted request value containing both '${...}' and '%{...}' sequences causing double OGNL evaluation; monitor HTTP request URIs and bodies for this combined pattern.
  • ·The vulnerability affects Apache Struts 2 versions before 2.3.14.3 only; patched versions are not affected.
  • ·Struts 2 is not actively compiled, shipped, used, or enabled in Red Hat final products, but struts2-core jars were included in source packages for Fuse Service Works 6.0.0 and Single Sign On 7.3.0+; customers who built artifacts from those sources may be at risk.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
ghsa9.3CRITICAL
osv9.3CRITICAL
vulncheck9.3CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.