CVE-2013-2134

Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.

Published: Jul 16, 2013
Updated: May 9, 2024
CVE: CVE-2013-2134
GHSA: GHSA-gqqm-564f-vvxq
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C

CWEs:

CWE-94

Affected Software
References

Software	From	Fixed in
apache / struts	2.0.0	2.3.14.3
org.apache.struts / struts2-core	-	2.3.14.3

http://security.gentoo.org/glsa/glsa-201409-04.xml
http://struts.apache.org/development/2.x/docs/s2-015.html
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html
http://www.securityfocus.com/bid/60346
http://www.securityfocus.com/bid/64758
https://cwiki.apache.org/confluence/display/WW/S2-015

Vulnerability Database

289,697

CVE-2013-2134