Bug 986183 - (CVE-2013-2251) CVE-2013-2251 Apache Struts 2 arbitrary OGNL code execution via crafted parameters
CVE-2013-2251 Apache Struts 2 arbitrary OGNL code execution via crafted param...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20130714,repo...
: Security
Depends On:
Blocks: 985126
  Show dependency treegraph
 
Reported: 2013-07-19 03:36 EDT by Arun Babu Neelicattu
Modified: 2015-07-31 06:51 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-19 03:51:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Arun Babu Neelicattu 2013-07-19 03:36:43 EDT
The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.

In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.

Upstream Advisory: http://struts.apache.org/release/2.3.x/docs/s2-016.html
Upstream bug: https://issues.apache.org/jira/browse/WW-4140
Upstream commit: https://svn.apache.org/viewvc?view=revision&revision=r1503127
Comment 1 Arun Babu Neelicattu 2013-07-19 03:51:42 EDT
Statement:

Not Vulnerable. This issue only affects struts 2, it does not affect the versions of struts as shipped with various Red Hat products.

Note You need to log in before you can comment on or make changes to this bug.