CVE-2013-2135 — Arbitrary code execution in Apache Struts 2

Description

Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice.

How to fix CVE-2013-2135

To remediate CVE-2013-2135, upgrade the affected package to a fixed version below.

Maven/org.apache.struts:struts2-core—upgrade to 2.3.14.3 or later
Maven/org.apache.struts.xwork:xwork-core—upgrade to 2.3.14.3 or later

Is CVE-2013-2135 being exploited?

Likely — EPSS is 83.0%, placing CVE-2013-2135 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (2)

>= 2.0.0, < 2.3.14.3
>= 2.0.0, < 2.3.14.3

References (17)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-2135
PATCHgithub.com/apache/struts
WEBcwiki.apache.org/confluence/display/WW/S2-015
WEBgithub.com/apache/struts/commit/01e6b251b4db78bfb7971033652e81d1af4cb3e0