Bug 967655 (CVE-2013-1965) - CVE-2013-1965 struts2: remote command execution in Showcase app
Summary: CVE-2013-1965 struts2: remote command execution in Showcase app
Alias: CVE-2013-1965
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: 967657
TreeView+ depends on / blocked
Reported: 2013-05-27 20:09 UTC by Vincent Danen
Modified: 2021-02-17 07:40 UTC (History)
5 users (show)

Fixed In Version: Struts
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-05-28 01:57:31 UTC

Attachments (Terms of Use)

Description Vincent Danen 2013-05-27 20:09:23 UTC
As per the upstream report:

OGNL provides, among other features, extensive expression evaluation capabilities. 
A request that included a specially crafted request parameter could be used to inject arbitrary OGNL code into a property, afterward used as request parameter of a redirect address, which will cause a further evaluation.

OGNL evaluation was already addressed in S2-003 and S2-005 and S2-009, but, since it involved just the parameter's name, it turned out that the resulting fixes based on whitelisting acceptable parameter names and denying evaluation of the expression contained in parameter names, closed the vulnerability only partially.

The second evaluation happens when redirect result reads it from the stack and uses the previously injected code as redirect parameter.
This lets malicious users put arbitrary OGNL statements into any unsanitized String variable exposed by an action and have it evaluated as an OGNL expression to enable method execution and execute arbitrary methods, bypassing Struts and OGNL library protections.

This flaw is reported to affect Struts 2.0.0 through to Struts 2.3.14.  It is corrected in

External References:


Comment 4 Chess Hazlett 2019-09-17 20:36:25 UTC

A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While Struts 2 is not actively compiled, shipped, used, or enabled in any Red Hat provided final products, and does not cause any vulnerability in the product, struts2-core jars have been included in some products' source code packages. The inclusion was part of an import of the Google Guice repository, which includes struts2-core. Customers that build artefacts from our source code could be at risk. Red Hat will remove these artefacts from source code in future releases.

The products that included the Struts 2 artefacts in their source jars:
Fuse Service Works 6.0.0
Single Sign On 7.3.0+

If you have used the source package from one of these products to build artefacts on your system, you should do the following to remove potentially affected jars:
1. Run 'find . -name struts2*.jar' under the source location
2. Remove any files found
This will not affect the product, as the jar is included with the source of google-guice, but no functionality requiring struts2 is implemented.

Note You need to log in before you can comment on or make changes to this bug.