CVE-2013-4316

CWE-16CWE-284Improper Access ControlCWE-94Code Injection6 documents6 sources
Severity
10.0CRITICAL
EPSS
6.2%
top 9.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Oracle Mysql Enterprise MonitorApache StrutsOracle Flexcube Private Banking+1 more
Timeline
PublishedSep 30
Latest updateMay 17

Description

Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 10.0 | Impact: 10.0

Affected Packages6 packages

Mavenorg.apache.struts:struts2-core2.0.02.3.15.2
Mavenorg.apache.struts:struts2-rest-plugin2.0.02.3.15.2
NVDapache/struts45 versions+44
NVDoracle/webcenter_sites11.1.1.6.1, 11.1.1.8.0+1

Patches

Patch: archives.neohapsis.comPatch: struts.apache.orgPatch: archives.neohapsis.com

🔴Vulnerability Details

3
OSV
Code injection in Apache Struts2022-05-17
GHSA
Code injection in Apache Struts2022-05-17
CVEList
CVE-2013-4316: Apache Struts 22013-09-30

📋Vendor Advisories

1
Red Hat
struts: dynamic method executions is enabled by default2013-09-21

💬Community

1
Bugzilla
CVE-2013-4316 struts: dynamic method executions is enabled by default2013-09-27