Vulnerability CVE-2013-4310


Published: 2013-09-30   Modified: 2014-01-27

Description:
Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix.

Type:

CWE-264

(Permissions, Privileges, and Access Controls)

Vendor: Apache
Product: Struts 
Version:
2.3.8
2.3.7
2.3.4.1
2.3.4
2.3.3
2.3.15.1
2.3.15
2.3.14.3
2.3.14.2
2.3.14.1
2.3.14
2.3.12
2.3.1.2
2.3.1.1
2.3.1
2.2.3.1
2.2.3
2.2.1.1
2.2.1
2.1.8.1
2.1.8
2.1.6
2.1.5
2.1.4
2.1.3
2.1.2
2.1.1
2.1.0
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.14
2.0.13
2.0.12
2.0.11.2
2.0.11.1
2.0.11
2.0.10
2.0.1
2.0.0

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5.8/10
4.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
None

 References:
http://struts.apache.org/release/2.3.x/docs/s2-018.html
http://archives.neohapsis.com/archives/bugtraq/2013-09/0107.html
http://www.securitytracker.com/id/1029077
http://www.securityfocus.com/bid/64758
http://secunia.com/advisories/56492
http://secunia.com/advisories/56483
http://secunia.com/advisories/54919
http://archives.neohapsis.com/archives/bugtraq/2013-10/0083.html

Related CVE
CVE-2015-3185
The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote...
CVE-2015-3183
The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large c...
CVE-2015-0253
The read_request_line function in server/protocol.c in the Apache HTTP Server 2.4.12 does not initialize the protocol structure member, which allows remote attackers to cause a denial of service (NULL pointer dereference and process crash) by sending...
CVE-2015-1831
The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors.
CVE-2014-7810
The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attacker...
CVE-2014-0230
Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (...
CVE-2015-0263
XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource.
CVE-2015-0264
Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) Gener...

Copyright 2015, cxsecurity.com