CVE-2013-2115

high-risk

Published 2013-07-10

Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966.

Do I need to act?

87.6% chance of exploitation in next 30 days

EPSS score — higher than 12% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

25980

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.1/10 High

NETWORK / HIGH complexity

Affected Products (1)

Struts

Affected Vendors

Apache

References (8)

Vendor Advisory http://struts.apache.org/development/2.x/docs/s2-014.html

Third Party Advisory http://www.securityfocus.com/bid/60167

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=967656

Vendor Advisory https://cwiki.apache.org/confluence/display/WW/S2-014

Vendor Advisory http://struts.apache.org/development/2.x/docs/s2-014.html

Third Party Advisory http://www.securityfocus.com/bid/60167

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=967656

Vendor Advisory https://cwiki.apache.org/confluence/display/WW/S2-014

/ 100

high-risk

Severity 24/34 · High

Exploitability 27/34 · High

Exposure 5/34 · Minimal