Published:2013/09/06  Last Updated:2013/09/06

Apache Struts vulnerable to remote command execution


Apache Struts contains a remote command execution vulnerability.

Products Affected

  • Apache Struts 2.0.0 through 2.3.15


Apache Struts provided by the Apache Software Foundation is a software framework for creating Java web applications. Apache Struts contains a remote command execution vulnerability.

This issue is the same issue that the developer published as S2-016 on July 16, 2013

Note that attacks leveraging this vulnerability have been confirmed.


An arbitrary command may be executed on the server where Apache Struts resides.


Apply an Update
Update to the latest version according to the information provided by the developer.


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC


Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert JPCERT-AT-2013-0033
Vulnerability in Apache Struts (S2-016)
JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2013-2251
JVN iPedia JVNDB-2013-003469