CVE-2013-4310

Description

The Struts 2 action mapping mechanism supports the special parameter prefix action: which is intended to help with attaching navigational information to buttons within forms, under certain conditions this can be used to bypass security constraints. In Struts 2.3.15.3 the action mapping mechanism was changed to avoid circumventing security constraints. Two additional constants were introduced to steer behaviour of DefaultActionMapper: - struts.mapper.action.prefix.enabled - when set to false support for "action:" prefix is disabled, set to false by default - struts.mapper.action.prefix.crossNamespaces - when set to false, actions defined with "action:" prefix must be in the same namespace as current action

How to fix CVE-2013-4310

To remediate CVE-2013-4310, upgrade the affected package to a fixed version below.

• —upgrade to 2.3.15.3 or later

Is CVE-2013-4310 being exploited?

Moderate — EPSS is 8.7%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

• from 0, < 2.3.15.3

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-4310
• PATCHgithub.com/apache/struts
• WEBgithub.com/apache/struts/commit/0c8366cb792227d484b9ca13e537037dd0cb57dc
• WEBstruts.apache.org/release/2.3.x/docs/s2-018.html