CVE-2013-2134 — Arbitrary code execution in Apache Struts 2

Description

Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.

How to fix CVE-2013-2134

To remediate CVE-2013-2134, upgrade the affected package to a fixed version below.

Maven/org.apache.struts:struts2-core—upgrade to 2.3.14.3 or later
Maven/org.apache.struts.xwork:xwork-core—upgrade to 2.3.14.3 or later

Is CVE-2013-2134 being exploited?

Likely — EPSS is 90.9%, placing CVE-2013-2134 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (2)

>= 2.0.0, < 2.3.14.3
>= 2.0.0, < 2.3.14.3

References (19)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-2134
PATCHgithub.com/apache/struts
WEBcwiki.apache.org/confluence/display/WW/S2-015
WEBsecurity.gentoo.org/glsa/glsa-201409-04.xml
WEB