CVE-2013-2251

CVE Database · CVE-2013-2251

CVE-2013-2251

· CRITICALAnalyzed

CVSS v3.1

9.8

EPSS

100.00%

Published

Jul 20, 2013

Modified

Apr 22, 2026

CISA Known Exploited Vulnerability

Added: 2022-03-25 · Due: 2022-04-15

Apply updates per vendor instructions.

Public PoC / Exploit (5)

All weaponized →

Exploit-DBApache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution (Metasploit)Exploit-DBApache Struts2 2.0.0 < 2.3.15 - Prefixed Parameters OGNL Injection NucleiNuclei detection template TrickestTrickest PoC index GitHub PoCnth347/CVE-2013-2251★0

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-74CWE-74

Affected Products (17)

apache · archiva (up to 1.3.8)vulnerable

apache · archivavulnerable

apache · strutsvulnerable

fujitsu · interstage_business_process_manager_analyticsvulnerable

microsoft · windows_server_2003

microsoft · windows_server_2008

redhat · enterprise_linux

fujitsu · interstage_business_process_manager_analyticsvulnerable

microsoft · windows_server_2003

microsoft · windows_server_2008

References (20)

http://archiva.apache.org/security.html

Product

http://cxsecurity.com/issue/WLB-2014010087

ExploitThird Party Advisory

http://osvdb.org/98445

Broken Link

http://packetstormsecurity.com/files/159629/Apache-Struts-2-Remote-Code-Execution.html

ExploitThird Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2013/Oct/96

ExploitMailing ListThird Party Advisory

http://seclists.org/oss-sec/2014/q1/89

KEV Catalog EPSS Scores Vendors All CVEs