Apache Struts 2.x to 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted 'action:', 'redirect:', or 'redirectAction:' prefix.

This mechanism was intended to help with attaching navigational information to buttons within forms.

The remote web application appears to use Struts 2, a web framework that utilizes OGNL (Object-Graph Navigation Language) as an expression language. Due to a flaw in the evaluation of an OGNL expression prefixed by the 'action:' parameter, a remote, unauthenticated attacker can exploit this issue to execute arbitrary commands on the remote web server. An attacker can exploit the issue by sending a specially crafted HTTP request to the remote web server.

Note that the 'redirect:' and 'redirectAction' parameters are also reportedly affected by the command execution vulnerability.
Additionally, this version of Struts 2 is also reportedly affected by an open redirect vulnerability; however, Nessus has not tested for this additional issue.

Note also that this plugin will only report the first vulnerable instance of a Struts 2 application.

Finally, note that Apache Archiva versions prior to and equal to 1.3.6 are also affected by this issue as the application utilizes a vulnerable version of Struts 2.

According to its self-reported version, the instance of Apache Archiva hosted on the remote web server is 1.2.x prior than or equal to 1.2.2 or 1.3.x prior than or equal to 1.3.6 and thus is affected by the following vulnerabilities :

  - An input validation error exists related to     unspecified scripts and unspecified parameters that     could allow cross-site scripting attacks.
    (CVE-2013-2187)

  - Input validation errors exist related to the bundled     version of Apache Struts that could allow arbitrary     Object-Graph Navigation Language (OGNL) expression     execution via specially crafted requests.
    (CVE-2013-2251)

The instance of Selligent Message Studio running on the remote host is affected by CVE-2013-2251, a code execution vulnerability in Apache Struts (S2-016). A remote, unauthenticated attacker can exploit this issue, via a specially crafted HTTP request, to execute code on the remote host.

According to its self-reported version, the MySQL Enterprise Monitor running on the remote host is affected by the multiple vulnerabilities in the bundled version of Apache Struts :

  - Input validation errors exist that allows the execution     of arbitrary Object-Graph Navigation Language (OGNL)     expressions via specially crafted parameters to the     DefaultActionMapper. (CVE-2013-2251)

  - Multiple unspecified vulnerabilities exist related to     dynamic method invocation being enabled by default.
    (CVE-2013-4316)

The version of Apache Struts running on the remote host is 2.x prior to 2.3.15.1. It, therefore, is affected by multiple vulnerabilities including a remote command execution vulnerability and an open redirect vulnerability.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
112741	Apache Struts 2.x < 2.3.15.1 Remote Code Execution (S2-016)	Web App Scanning	Component Vulnerability	4/12/2021	9/7/2021	high
68981	Apache Struts 2 'action:' Parameter Arbitrary Remote Command Execution	Nessus	CGI abuses	7/19/2013	7/17/2023	critical
73761	Apache Archiva 1.2.x <= 1.2.2 / 1.3.x <= 1.3.6 Multiple Vulnerabilities	Nessus	CGI abuses	4/29/2014	4/25/2023	high
142462	Selligent Message Studio Struts Code Execution (CVE-2013-2251)	Nessus	CGI abuses	11/5/2020	4/23/2024	critical
83292	MySQL Enterprise Monitor < 2.3.14 Apache Struts Multiple Vulnerabilities	Nessus	CGI abuses	5/8/2015	4/25/2023	critical
117362	Apache Struts 2.x < 2.3.15.1 Multiple Vulnerabilities (S2-016) (S2-017)	Nessus	Misc.	9/10/2018	4/25/2023	critical

Detections

Analytics

Plugins Search

high

critical

high

critical

critical

critical