Description

The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.

In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.

Affected Software:
Struts 2.0.0 - Struts 2.3.15

Remediation

Developers should immediately upgrade to Struts 2.3.15.1

References

Apache Struts 2 S2-016

Related Vulnerabilities

Ruby on Rails Improper Input Validation Vulnerability (CVE-2013-0156)

Lucee Unset Admin Password

WordPress Plugin Events Manager Pro CSV Injection (2.6.7.1)

WordPress Plugin Category List Portfolio Page TimThumb Arbitrary File Upload (1.2.3)

WordPress Super Socialat backdoor plugin

Severity

Critical

Classification

CVE-2013-2251 CWE-20 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution