Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.apache.struts/struts2-core@2.3.15.1
Typemaven
Namespaceorg.apache.struts
Namestruts2-core
Version2.3.15.1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.3.31
Latest_non_vulnerable_version7.1.1
Affected_by_vulnerabilities
0
url VCID-z6wr-3psx-dbfm
vulnerability_id VCID-z6wr-3psx-dbfm
summary This package enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.
references
0
reference_url http://struts.apache.org/docs/s2-019.html
reference_id
reference_type
scores
url http://struts.apache.org/docs/s2-019.html
1
reference_url https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4316
reference_id
reference_type
scores
url https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4316
fixed_packages
0
url pkg:maven/org.apache.struts/struts2-core@2.3.15.2
purl pkg:maven/org.apache.struts/struts2-core@2.3.15.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-kmqa-hsqy-muf1
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.15.2
aliases CVE-2013-4316
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-z6wr-3psx-dbfm
Fixing_vulnerabilities
0
url VCID-1exe-1vfk-f7bn
vulnerability_id VCID-1exe-1vfk-f7bn
summary 
Allows open redirects
Multiple open redirect vulnerabilities in this package allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the `redirect:` or `redirectAction:` prefix.
references
0
reference_url http://struts.apache.org/docs/s2-017.html
reference_id
reference_type
scores
url http://struts.apache.org/docs/s2-017.html
fixed_packages
0
url pkg:maven/org.apache.struts/struts2-core@2.3.15.1
purl pkg:maven/org.apache.struts/struts2-core@2.3.15.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-z6wr-3psx-dbfm
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.15.1
aliases CVE-2013-2248
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1exe-1vfk-f7bn
1
url VCID-xpa5-fsb6-ukay
vulnerability_id VCID-xpa5-fsb6-ukay
summary 
Code injection in Apache Struts
The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.

In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
references
0
reference_url https://exchange.xforce.ibmcloud.com/vulnerabilities/90392
reference_id
reference_type
scores
url https://exchange.xforce.ibmcloud.com/vulnerabilities/90392
1
reference_url https://github.com/apache/struts
reference_id
reference_type
scores
url https://github.com/apache/struts
2
reference_url https://github.com/apache/struts/commit/3cfe34fefedcf0fdcfcb061c0aea34a715b7de6
reference_id
reference_type
scores
url https://github.com/apache/struts/commit/3cfe34fefedcf0fdcfcb061c0aea34a715b7de6
3
reference_url https://github.com/apache/struts/commit/630e1ba065a8215c4e9ac03bfb09be9d655c2b6e
reference_id
reference_type
scores
url https://github.com/apache/struts/commit/630e1ba065a8215c4e9ac03bfb09be9d655c2b6e
4
reference_url https://issues.apache.org/jira/browse/WW-4140
reference_id
reference_type
scores
url https://issues.apache.org/jira/browse/WW-4140
5
reference_url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-2251
reference_id
reference_type
scores
url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-2251
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2013-2251
reference_id CVE-2013-2251
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2013-2251
7
reference_url https://github.com/advisories/GHSA-47qp-8v9g-39hp
reference_id GHSA-47qp-8v9g-39hp
reference_type
scores
url https://github.com/advisories/GHSA-47qp-8v9g-39hp
fixed_packages
0
url pkg:maven/org.apache.struts/struts2-core@2.3.15.1
purl pkg:maven/org.apache.struts/struts2-core@2.3.15.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-z6wr-3psx-dbfm
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.15.1
aliases CVE-2013-2251, GHSA-47qp-8v9g-39hp
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xpa5-fsb6-ukay
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.15.1