ghsa-7ghm-rpc7-p7g5
Vulnerability from github
Published
2022-05-13 01:16
Modified
2022-11-03 23:44
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Code injection in Apache Struts
Details

A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks.

both the s:url and s:a tag provide an includeParams attribute.

The main scope of that attribute is to understand whether includes http request parameter or not.

The allowed values of includeParams are:

none - include no parameters in the URL (default)
get - include only GET parameters in the URL
all - include both GET and POST parameters in the URL

A request that included a specially crafted request parameter could be used to inject arbitrary OGNL code into the stack, afterward used as request parameter of an URL or A tag , which will cause a further evaluation.

The second evaluation happens when the URL/A tag tries to resolve every parameters present in the original request. This lets malicious users put arbitrary OGNL statements into any request parameter (not necessarily managed by the code) and have it evaluated as an OGNL expression to enable method execution and execute arbitrary methods, bypassing Struts and OGNL library protections.

The issue was originally addressed by Struts 2.3.14.1 and Security Announcement S2-013. However, the solution introduced with 2.3.14.1 did not address all possible attack vectors, such that every version of Struts 2 before 2.3.14.2 is still vulnerable to such attacks.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.struts:struts2-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.3.14.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.struts.xwork:xwork-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.3.14.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2013-2115"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-03T23:44:50Z",
    "nvd_published_at": "2013-07-10T19:55:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks.\n\nboth the s:url and s:a tag provide an includeParams attribute.\n\nThe main scope of that attribute is to understand whether includes http request parameter or not.\n\nThe allowed values of includeParams are:\n\n    none - include no parameters in the URL (default)\n    get - include only GET parameters in the URL\n    all - include both GET and POST parameters in the URL\n\nA request that included a specially crafted request parameter could be used to inject arbitrary OGNL code into the stack, afterward used as request parameter of an URL or A tag , which will cause a further evaluation.\n\nThe second evaluation happens when the URL/A tag tries to resolve every parameters present in the original request.\nThis lets malicious users put arbitrary OGNL statements into any request parameter (not necessarily managed by the code) and have it evaluated as an OGNL expression to enable method execution and execute arbitrary methods, bypassing Struts and OGNL library protections.\n\nThe issue was originally addressed by Struts 2.3.14.1 and Security Announcement [S2-013](https://cwiki.apache.org/confluence/display/WW/S2-013). However, the solution introduced with 2.3.14.1 did not address all possible attack vectors, such that every version of Struts 2 before 2.3.14.2 is still vulnerable to such attacks.",
  "id": "GHSA-7ghm-rpc7-p7g5",
  "modified": "2022-11-03T23:44:50Z",
  "published": "2022-05-13T01:16:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2115"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/struts/commit/d7804297e319c7a12245e1b536e565fcea6d650"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/struts/commit/d934c6e7430b7b98e43a0a085a2304bd31a75c3d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/struts/commit/ea96d18d0f75c390d2595648efa3563785c272c6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/struts/commit/fed4f8e8a4ec69b5e7612b92d8ce3e476680474"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=967656"
    },
    {
      "type": "WEB",
      "url": "https://cwiki.apache.org/confluence/display/WW/S2-013"
    },
    {
      "type": "WEB",
      "url": "https://cwiki.apache.org/confluence/display/WW/S2-014"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/struts"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/WW-4063"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20140212000331/http://www.securityfocus.com/bid/60167"
    },
    {
      "type": "WEB",
      "url": "http://struts.apache.org/development/2.x/docs/s2-014.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Code injection in Apache Struts"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.