http://struts.apache.org/development/2.x/docs/s2-015.html

http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html

64758

https://cwiki.apache.org/confluence/display/WW/S2-015

The version of Apache Struts running on the remote host is 2.x prior to 2.3.14.3. It, therefore, is affected by a remote command execution vulnerability.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote web application appears to use Struts 2, a web framework that utilizes OGNL (Object-Graph Navigation Language) as an expression language. Due to a flaw in the evaluation of an OGNL expression, a remote, unauthenticated attacker can exploit this issue to execute arbitrary commands on the remote web server by sending a specially crafted HTTP request.

Note that this plugin will only report the first vulnerable instance of a Struts 2 application.

ID	Name	Product	Family	Severity
117389	Apache Struts 2.x < 2.3.14.3 RCE (S2-015)	Nessus	Misc.	critical
66931	Apache Struts 2 OGNL Expression Handling Double Evaluation Error Remote Command Execution	Nessus	CGI abuses	high

CVE-2013-2135

high

Tenable Plugins

critical

high