858826 – (CVE-2013-2251) VUL-0:CVE-2013-2251: struts: remote code execution

Bug 858826 (CVE-2013-2251) - VUL-0:CVE-2013-2251: struts: remote code execution

Summary: VUL-0:CVE-2013-2251: struts: remote code execution

Status:	RESOLVED INVALID

Alias:	CVE-2013-2251

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	E-mail List
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-01-15 09:04 UTC by Sebastian Krahmer
Modified:	2014-02-25 09:52 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Krahmer 2014-01-15 09:04:40 UTC

Via OSS-sec:

>
> : Please assign CVE for Apache Archiva 0day
> : : http://cxsecurity.com/issue/WLB-2014010087
>
> From that link:
>
> Apache Archiva use Apache Struts2:
>  "In Struts 2 before 2.3.15.1 the information following "action:",
> "redirect:" or "redirectAction:" is not properly sanitized. Since said
> information will be evaluated as OGNL expression against the value stack,
> this introduces the possibility to inject server side code."
>
> References:
>
> http://struts.apache.org/release/2.3.x/docs/s2-016.html
>
>
>
> ^ All that is CVE-2013-2251.

Comment 1 Swamp Workflow Management 2014-01-15 23:00:37 UTC

bugbot adjusting priority