CVE-2013-1966 — Arbitrary code execution in Apache Struts

Description

Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.

How to fix CVE-2013-1966

To remediate CVE-2013-1966, upgrade the affected package to a fixed version below.

Maven/org.apache.struts:struts2-core—upgrade to 2.3.14.2 or later
Maven/org.apache.struts.xwork:xwork-core—upgrade to 2.3.14.2 or later

Is CVE-2013-1966 being exploited?

Likely — EPSS is 91.1%, placing CVE-2013-1966 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (2)

>= 2.0.0, < 2.3.14.2
>= 2.0.0, < 2.3.14.2

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-1966
PATCHgithub.com/apache/struts
WEBbugzilla.redhat.com/show_bug.cgi?id=967656
WEBcwiki.apache.org/confluence/display/WW/S2-013
WEB