JVN#33504150
Apache Struts vulnerable to remote command execution
Overview
Apache Struts contains a remote command execution vulnerability.
Products Affected
- Apache Struts 2.0.0 through 2.3.15
Description
Apache Struts provided by the Apache Software Foundation is a software framework for creating Java web applications. Apache Struts contains a remote command execution vulnerability.
This issue is the same issue that the developer published as S2-016 on July 16, 2013
Note that attacks leveraging this vulnerability have been confirmed.
Impact
An arbitrary command may be executed on the server where Apache Struts resides.
Solution
Apply an Update
Update to the latest version according to the information provided by the developer.
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
JPCERT Alert |
JPCERT-AT-2013-0033 Vulnerability in Apache Struts (S2-016) |
JPCERT Reports | |
CERT Advisory | |
CPNI Advisory | |
TRnotes | |
CVE |
CVE-2013-2251 |
JVN iPedia |
JVNDB-2013-003469 |