CVE-2013-2134 — HIGH (9.3) — White Hats Nepal

Q: How severe is CVE-2013-2134?

CVE-2013-2134 has been rated HIGH with a CVSS base score of 9.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2013-2134?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Struts.

Vulnerability Description

Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.

CVSS Score

9.3

HIGH

AV:N/AC:M/Au:N/C:C/I:C/A:C

Confidentiality

COMPLETE

Integrity

COMPLETE

Availability

COMPLETE

Affected Products

Vendor	Product	Versions
Apache	Struts	>= 2.0.0, < 2.3.14.3

Related Weaknesses (CWE)

CWE-94

References

http://security.gentoo.org/glsa/glsa-201409-04.xmlThird Party Advisory
http://struts.apache.org/development/2.x/docs/s2-015.htmlVendor Advisory
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.htmlThird Party Advisory
http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.htmlThird Party Advisory
http://www.securityfocus.com/bid/60346Third Party AdvisoryVDB Entry
http://www.securityfocus.com/bid/64758Third Party AdvisoryVDB Entry
https://cwiki.apache.org/confluence/display/WW/S2-015Vendor Advisory
http://security.gentoo.org/glsa/glsa-201409-04.xmlThird Party Advisory
http://struts.apache.org/development/2.x/docs/s2-015.htmlVendor Advisory
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.htmlThird Party Advisory
http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.htmlThird Party Advisory
http://www.securityfocus.com/bid/60346Third Party AdvisoryVDB Entry
http://www.securityfocus.com/bid/64758Third Party AdvisoryVDB Entry
https://cwiki.apache.org/confluence/display/WW/S2-015Vendor Advisory

FAQ

What is CVE-2013-2134?

CVE-2013-2134 is a vulnerability with a CVSS score of 9.3 (HIGH). Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulne...

How severe is CVE-2013-2134?

CVE-2013-2134 has been rated HIGH with a CVSS base score of 9.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2013-2134?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Struts.