8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2013-2115

GHSA ID

GHSA-7ghm-rpc7-p7g5

EPSS Score

0.99615%

CWE

CWE-94

Published

5/13/2022

Updated

12/27/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2013-2115

CVE-2013-2115: Code injection in Apache Struts

A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks.

both the s:url and s:a tag provide an includeParams attribute.

The main scope of that attribute is to understand whether includes http request parameter or not.

The allowed values of includeParams are:

none - include no parameters in the URL (default)
get - include only GET parameters in the URL
all - include both GET and POST parameters in the URL

A request that included a specially crafted request parameter could be used to inject arbitrary OGNL code into the stack, afterward used as request parameter of an URL or A tag , which will cause a further evaluation.

The second evaluation happens when the URL/A tag tries to resolve every parameters present in the original request. This lets malicious users put arbitrary OGNL statements into any request parameter (not necessarily managed by the code) and have it evaluated as an OGNL expression to enable method execution and execute arbitrary methods, bypassing Struts and OGNL library protections.

The issue was originally addressed by Struts 2.3.14.1 and Security Announcement S2-013. However, the solution introduced with 2.3.14.1 did not address all possible attack vectors, such that every version of Struts 2 before 2.3.14.2 is still vulnerable to such attacks.

(GitHub Advisory)

8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2013-2115

GHSA ID

GHSA-7ghm-rpc7-p7g5

EPSS Score

0.99615%

CWE

CWE-94

Published

5/13/2022

Updated

12/27/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.struts:struts2-core	maven	>= 2.0.0, < 2.3.14.2	2.3.14.2
org.apache.struts.xwork:xwork-core	maven	>= 2.0.0, < 2.3.14.2	2.3.14.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key issues: 1) The mutable allowStaticMethodAccess flag in SecurityMemberAccess allowed enabling dangerous OGNL features (patched by making it final and removing the setter). 2) The URL parameter handling in DefaultUrlHelper performed OGNL evaluation through translateAndEncode/translateAndDecode methods before encoding (patched by removing OGNL evaluation from parameter processing). These functions directly enabled the double-evaluation of malicious OGNL expressions in URL parameters when using includeParams='get' or 'all' in Struts tags.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility intro*u*** *y *or*in* p*r*m*t*r in*lusion in t** URL *n* *n**or T** *llows r*mot* *omm*n* *x**ution, s*ssion ****ss *n* m*nipul*tion *n* XSS *tt**ks. *ot* t** s:url *n* s:* t** provi** *n in*lu**P*r*ms *ttri*ut*. T** m*in s*op* o* t

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s: *) T** mut**l* *llowSt*ti*M*t*o*****ss *l** in S**urityM*m**r****ss *llow** *n**lin* **n**rous O*NL ***tur*s (p*t**** *y m*kin* it *in*l *n* r*movin* t** s*tt*r). *) T** URL p*r*m*t*r **n*lin* in ****ultUr

8.1

Basic Information

Concerned about an active attack path?

CVE-2013-2115: Code injection in Apache Struts

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI