Bug 967656 - (CVE-2013-1966, CVE-2013-2115) CVE-2013-1966 struts2: remote command execution due to flaw in the includeParams attribute of URL and Anchor tags
CVE-2013-1966 struts2: remote command execution due to flaw in the includePar...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
Blocks: 967657
  Show dependency treegraph
Reported: 2013-05-27 16:11 EDT by Vincent Danen
Modified: 2018-03-01 14:25 EST (History)
4 users (show)

See Also:
Fixed In Version: Struts
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-05-27 21:57:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-05-27 16:11:51 EDT
As per the upstream report:

Both the s:url and s:a tag provide an includeParams attribute.

The main scope of that attribute is to understand whether includes http request parameter or not.

The allowed values of includeParams are:

1. none - include no parameters in the URL (default)
2. get - include only GET parameters in the URL
3. all - include both GET and POST parameters in the URL

A request that included a specially crafted request parameter could be used to inject arbitrary OGNL code into the stack, afterward used as request parameter of an URL or A tag , which will cause a further evaluation.

The second evaluation happens when the URL/A tag tries to resolve every parameters present in the original request.
This lets malicious users put arbitrary OGNL statements into any request parameter (not necessarily managed by the code) and have it evaluated as an OGNL expression to enable method execution and execute arbitrary methods, bypassing Struts and OGNL library protections.

This flaw is reported to affect Struts 2.0.0 through to Struts 2.3.14.  It is corrected in

External References:

Comment 1 Vincent Danen 2013-05-27 16:15:27 EDT
Note that Struts was released due to an incomplete/incorrect fix for CVE-2013-1966 in version  A new CVE was assigned for this incomplete fix (CVE-2013-2115) but would only affect version or any other supplied version of Struts with the incorrect patch.

This issue is fully corrected in as per:

Comment 2 Arun Babu Neelicattu 2013-05-27 21:57:39 EDT

Not Vulnerable. This issue only affects struts 2, it does not affect the
versions of struts as shipped with various Red Hat products.
Comment 3 Mark J. Cox 2013-11-28 03:47:59 EST
had this affected Red Hat products it would have done so with impact=critical.

Note You need to log in before you can comment on or make changes to this bug.