CVE-2013-2134

Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.

Published Bysecalert@redhat.com

Published DateJul 16, 2013, 18:55

Affected Versions(2)

org.apache.struts:struts2-core(Maven)

Introduced2.0.0

Fixed2.3.14.3

LimitN/A

org.apache.struts.xwork:xwork-core(Maven)

Introduced2.0.0

Fixed2.3.14.3

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.apache.struts:struts2-core(Maven)	2.0.0	2.3.14.3	N/A
org.apache.struts.xwork:xwork-core(Maven)	2.0.0	2.3.14.3	N/A

Weakness Type (CWE):CWE-94

CVSS Metrics

Base Score

9.3

Vector String

AV:N/AC:M/Au:N/C:C/I:C/A:C

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

COMPLETE

Integrity (I)

COMPLETE

Availability (A)

COMPLETE

References

Weakness Type (CWE):CWE-94

CVSS Metrics

Base Score

9.3

Vector String

AV:N/AC:M/Au:N/C:C/I:C/A:C

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

COMPLETE

Integrity (I)

COMPLETE

Availability (A)

COMPLETE