{"url":"http://public2.vulnerablecode.io/api/packages/51504?format=json","purl":"pkg:maven/org.apache.struts/struts2-core@2.3.14.2","type":"maven","namespace":"org.apache.struts","name":"struts2-core","version":"2.3.14.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.3.31","latest_non_vulnerable_version":"7.1.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37553?format=json","vulnerability_id":"VCID-1kjb-use6-23eu","summary":"Code Injection\nApache Struts allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both `${}` and `%{}` sequences, which causes the OGNL code to be evaluated twice.","references":[{"reference_url":"https://cwiki.apache.org/confluence/display/WW/S2-015","reference_id":"","reference_type":"","scores":[],"url":"https://cwiki.apache.org/confluence/display/WW/S2-015"},{"reference_url":"https://github.com/apache/struts/commit/01e6b251b4db78bfb7971033652e81d1af4cb3e0","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/01e6b251b4db78bfb7971033652e81d1af4cb3e0"},{"reference_url":"https://github.com/apache/struts/commit/041206d2a693d02c0cb2e72765275e55ba14049f","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/041206d2a693d02c0cb2e72765275e55ba14049f"},{"reference_url":"https://github.com/apache/struts/commit/113c47082c09818bcef65acc436a2d0c7c47aa6c","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/113c47082c09818bcef65acc436a2d0c7c47aa6c"},{"reference_url":"https://github.com/apache/struts/commit/54e5c912ebd9a1599bfcf7a719da17c28127bbe3","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/54e5c912ebd9a1599bfcf7a719da17c28127bbe3"},{"reference_url":"https://github.com/apache/struts/commit/711cf0201cdd319a38cf29238913312355db29ba","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/711cf0201cdd319a38cf29238913312355db29ba"},{"reference_url":"https://github.com/apache/struts/commit/8b4fc81daeea3834bcbf73de5f48d0021917aa37","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/8b4fc81daeea3834bcbf73de5f48d0021917aa37"},{"reference_url":"https://github.com/apache/struts/commit/cfb6e9afbae320a4dd5bdd655154ab9fe5a92c16","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/cfb6e9afbae320a4dd5bdd655154ab9fe5a92c16"},{"reference_url":"https://issues.apache.org/jira/browse/WW-4090","reference_id":"","reference_type":"","scores":[],"url":"https://issues.apache.org/jira/browse/WW-4090"},{"reference_url":"https://issues.apache.org/jira/browse/WW-4094","reference_id":"","reference_type":"","scores":[],"url":"https://issues.apache.org/jira/browse/WW-4094"},{"reference_url":"https://issues.apache.org/jira/browse/WW-4095","reference_id":"","reference_type":"","scores":[],"url":"https://issues.apache.org/jira/browse/WW-4095"},{"reference_url":"http://struts.apache.org/development/2.x/docs/s2-015.html","reference_id":"","reference_type":"","scores":[],"url":"http://struts.apache.org/development/2.x/docs/s2-015.html"},{"reference_url":"http://struts.apache.org/docs/s2-015.html","reference_id":"","reference_type":"","scores":[],"url":"http://struts.apache.org/docs/s2-015.html"},{"reference_url":"https://web.archive.org/web/20140410223942/http://www.securityfocus.com/bid/64758","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20140410223942/http://www.securityfocus.com/bid/64758"},{"reference_url":"http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html","reference_id":"","reference_type":"","scores":[],"url":"http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html"},{"reference_url":"http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html","reference_id":"","reference_type":"","scores":[],"url":"http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2013-2135","reference_id":"CVE-2013-2135","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2013-2135"},{"reference_url":"https://github.com/advisories/GHSA-pw8r-x2qm-3h5m","reference_id":"GHSA-pw8r-x2qm-3h5m","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-pw8r-x2qm-3h5m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51514?format=json","purl":"pkg:maven/org.apache.struts/struts2-core@2.3.14.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dvxu-9sh6-qbef"},{"vulnerability":"VCID-hrky-nmnv-g3eu"},{"vulnerability":"VCID-mmth-7rgf-aqfa"},{"vulnerability":"VCID-z1jy-4da2-tyhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.14.3"}],"aliases":["CVE-2013-2135","GHSA-pw8r-x2qm-3h5m"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1kjb-use6-23eu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37551?format=json","vulnerability_id":"VCID-447s-4ag7-gyes","summary":"Remote command execution\nThis package allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.","references":[{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=967655","reference_id":"","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=967655"},{"reference_url":"http://struts.apache.org/development/2.x/docs/s2-012.html","reference_id":"","reference_type":"","scores":[],"url":"http://struts.apache.org/development/2.x/docs/s2-012.html"},{"reference_url":"http://struts.apache.org/docs/s2-012.html","reference_id":"","reference_type":"","scores":[],"url":"http://struts.apache.org/docs/s2-012.html"},{"reference_url":"http://www.securityfocus.com/bid/60082","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/60082"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2013-1965","reference_id":"CVE-2013-1965","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2013-1965"},{"reference_url":"https://github.com/advisories/GHSA-whmq-v94q-34p9","reference_id":"GHSA-whmq-v94q-34p9","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-whmq-v94q-34p9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51514?format=json","purl":"pkg:maven/org.apache.struts/struts2-core@2.3.14.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dvxu-9sh6-qbef"},{"vulnerability":"VCID-hrky-nmnv-g3eu"},{"vulnerability":"VCID-mmth-7rgf-aqfa"},{"vulnerability":"VCID-z1jy-4da2-tyhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.14.3"}],"aliases":["CVE-2013-1965","GHSA-whmq-v94q-34p9"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-447s-4ag7-gyes"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37554?format=json","vulnerability_id":"VCID-89az-256b-mubw","summary":"Code Injection\nApache Struts 2 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.","references":[{"reference_url":"https://cwiki.apache.org/confluence/display/WW/S2-015","reference_id":"","reference_type":"","scores":[],"url":"https://cwiki.apache.org/confluence/display/WW/S2-015"},{"reference_url":"http://security.gentoo.org/glsa/glsa-201409-04.xml","reference_id":"","reference_type":"","scores":[],"url":"http://security.gentoo.org/glsa/glsa-201409-04.xml"},{"reference_url":"https://github.com/apache/struts/commit/01e6b251b4db78bfb7971033652e81d1af4cb3e0","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/01e6b251b4db78bfb7971033652e81d1af4cb3e0"},{"reference_url":"https://github.com/apache/struts/commit/041206d2a693d02c0cb2e72765275e55ba14049f","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/041206d2a693d02c0cb2e72765275e55ba14049f"},{"reference_url":"https://github.com/apache/struts/commit/113c47082c09818bcef65acc436a2d0c7c47aa6c","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/113c47082c09818bcef65acc436a2d0c7c47aa6c"},{"reference_url":"https://github.com/apache/struts/commit/54e5c912ebd9a1599bfcf7a719da17c28127bbe3","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/54e5c912ebd9a1599bfcf7a719da17c28127bbe3"},{"reference_url":"https://github.com/apache/struts/commit/711cf0201cdd319a38cf29238913312355db29ba","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/711cf0201cdd319a38cf29238913312355db29ba"},{"reference_url":"https://github.com/apache/struts/commit/8b4fc81daeea3834bcbf73de5f48d0021917aa37","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/8b4fc81daeea3834bcbf73de5f48d0021917aa37"},{"reference_url":"https://github.com/apache/struts/commit/cfb6e9afbae320a4dd5bdd655154ab9fe5a92c16","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/cfb6e9afbae320a4dd5bdd655154ab9fe5a92c16"},{"reference_url":"https://issues.apache.org/jira/browse/WW-4090","reference_id":"","reference_type":"","scores":[],"url":"https://issues.apache.org/jira/browse/WW-4090"},{"reference_url":"https://issues.apache.org/jira/browse/WW-4094","reference_id":"","reference_type":"","scores":[],"url":"https://issues.apache.org/jira/browse/WW-4094"},{"reference_url":"https://issues.apache.org/jira/browse/WW-4095","reference_id":"","reference_type":"","scores":[],"url":"https://issues.apache.org/jira/browse/WW-4095"},{"reference_url":"http://struts.apache.org/development/2.x/docs/s2-015.html","reference_id":"","reference_type":"","scores":[],"url":"http://struts.apache.org/development/2.x/docs/s2-015.html"},{"reference_url":"http://struts.apache.org/docs/s2-015.html","reference_id":"","reference_type":"","scores":[],"url":"http://struts.apache.org/docs/s2-015.html"},{"reference_url":"https://web.archive.org/web/20140226173351/http://www.securityfocus.com/bid/60346","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20140226173351/http://www.securityfocus.com/bid/60346"},{"reference_url":"https://web.archive.org/web/20140410223942/http://www.securityfocus.com/bid/64758","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20140410223942/http://www.securityfocus.com/bid/64758"},{"reference_url":"http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html","reference_id":"","reference_type":"","scores":[],"url":"http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html"},{"reference_url":"http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html","reference_id":"","reference_type":"","scores":[],"url":"http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2013-2134","reference_id":"CVE-2013-2134","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2013-2134"},{"reference_url":"https://github.com/advisories/GHSA-gqqm-564f-vvxq","reference_id":"GHSA-gqqm-564f-vvxq","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-gqqm-564f-vvxq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51514?format=json","purl":"pkg:maven/org.apache.struts/struts2-core@2.3.14.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dvxu-9sh6-qbef"},{"vulnerability":"VCID-hrky-nmnv-g3eu"},{"vulnerability":"VCID-mmth-7rgf-aqfa"},{"vulnerability":"VCID-z1jy-4da2-tyhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.14.3"}],"aliases":["CVE-2013-2134","GHSA-gqqm-564f-vvxq"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-89az-256b-mubw"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37550?format=json","vulnerability_id":"VCID-4x3k-a11x-7bee","summary":"Remote command execution due to flaw in the includeParams attribute of URL and Anchor tags\nThis package allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the `includeParams` attribute in the URL or A tag.","references":[{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=967656","reference_id":"","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=967656"},{"reference_url":"https://cwiki.apache.org/confluence/display/WW/S2-013","reference_id":"","reference_type":"","scores":[],"url":"https://cwiki.apache.org/confluence/display/WW/S2-013"},{"reference_url":"https://github.com/apache/struts/commit/7e6f641ebb142663cbd1653dc49bed725edf7f56","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/7e6f641ebb142663cbd1653dc49bed725edf7f56"},{"reference_url":"http://struts.apache.org/development/2.x/docs/s2-013.html","reference_id":"","reference_type":"","scores":[],"url":"http://struts.apache.org/development/2.x/docs/s2-013.html"},{"reference_url":"http://struts.apache.org/docs/s2-013.html","reference_id":"","reference_type":"","scores":[],"url":"http://struts.apache.org/docs/s2-013.html"},{"reference_url":"http://struts.apache.org/docs/s2-014.html","reference_id":"","reference_type":"","scores":[],"url":"http://struts.apache.org/docs/s2-014.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2013-1966","reference_id":"CVE-2013-1966","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2013-1966"},{"reference_url":"https://github.com/advisories/GHSA-737w-mh58-cxjp","reference_id":"GHSA-737w-mh58-cxjp","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-737w-mh58-cxjp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51504?format=json","purl":"pkg:maven/org.apache.struts/struts2-core@2.3.14.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1kjb-use6-23eu"},{"vulnerability":"VCID-447s-4ag7-gyes"},{"vulnerability":"VCID-89az-256b-mubw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.14.2"}],"aliases":["CVE-2013-1966","GHSA-737w-mh58-cxjp"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4x3k-a11x-7bee"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37548?format=json","vulnerability_id":"VCID-wsvw-qwt7-qbg1","summary":"Remote command execution due to flaw in the includeParams attribute of URL and Anchor tags\nThis package allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the URL or A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966.","references":[{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=967656","reference_id":"","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=967656"},{"reference_url":"https://cwiki.apache.org/confluence/display/WW/S2-013","reference_id":"","reference_type":"","scores":[],"url":"https://cwiki.apache.org/confluence/display/WW/S2-013"},{"reference_url":"https://cwiki.apache.org/confluence/display/WW/S2-014","reference_id":"","reference_type":"","scores":[],"url":"https://cwiki.apache.org/confluence/display/WW/S2-014"},{"reference_url":"https://github.com/apache/struts/commit/d7804297e319c7a12245e1b536e565fcea6d650","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/d7804297e319c7a12245e1b536e565fcea6d650"},{"reference_url":"https://github.com/apache/struts/commit/d934c6e7430b7b98e43a0a085a2304bd31a75c3d","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/d934c6e7430b7b98e43a0a085a2304bd31a75c3d"},{"reference_url":"https://github.com/apache/struts/commit/ea96d18d0f75c390d2595648efa3563785c272c6","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/ea96d18d0f75c390d2595648efa3563785c272c6"},{"reference_url":"https://github.com/apache/struts/commit/fed4f8e8a4ec69b5e7612b92d8ce3e476680474","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/fed4f8e8a4ec69b5e7612b92d8ce3e476680474"},{"reference_url":"https://issues.apache.org/jira/browse/WW-4063","reference_id":"","reference_type":"","scores":[],"url":"https://issues.apache.org/jira/browse/WW-4063"},{"reference_url":"http://struts.apache.org/development/2.x/docs/s2-014.html","reference_id":"","reference_type":"","scores":[],"url":"http://struts.apache.org/development/2.x/docs/s2-014.html"},{"reference_url":"http://struts.apache.org/docs/s2-014.html","reference_id":"","reference_type":"","scores":[],"url":"http://struts.apache.org/docs/s2-014.html"},{"reference_url":"https://web.archive.org/web/20140212000331/http://www.securityfocus.com/bid/60167","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20140212000331/http://www.securityfocus.com/bid/60167"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2013-2115","reference_id":"CVE-2013-2115","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2013-2115"},{"reference_url":"https://github.com/advisories/GHSA-7ghm-rpc7-p7g5","reference_id":"GHSA-7ghm-rpc7-p7g5","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-7ghm-rpc7-p7g5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51504?format=json","purl":"pkg:maven/org.apache.struts/struts2-core@2.3.14.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1kjb-use6-23eu"},{"vulnerability":"VCID-447s-4ag7-gyes"},{"vulnerability":"VCID-89az-256b-mubw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.14.2"}],"aliases":["CVE-2013-2115","GHSA-7ghm-rpc7-p7g5"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wsvw-qwt7-qbg1"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.14.2"}