{"url":"http://public2.vulnerablecode.io/api/packages/51518?format=json","purl":"pkg:maven/org.apache.struts/struts2-core@2.3.15.1","type":"maven","namespace":"org.apache.struts","name":"struts2-core","version":"2.3.15.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.3.31","latest_non_vulnerable_version":"7.1.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37580?format=json","vulnerability_id":"VCID-z6wr-3psx-dbfm","summary":"This package enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.","references":[{"reference_url":"http://struts.apache.org/docs/s2-019.html","reference_id":"","reference_type":"","scores":[],"url":"http://struts.apache.org/docs/s2-019.html"},{"reference_url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4316","reference_id":"","reference_type":"","scores":[],"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4316"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51619?format=json","purl":"pkg:maven/org.apache.struts/struts2-core@2.3.15.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-kmqa-hsqy-muf1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.15.2"}],"aliases":["CVE-2013-4316"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z6wr-3psx-dbfm"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37556?format=json","vulnerability_id":"VCID-1exe-1vfk-f7bn","summary":"Allows open redirects\nMultiple open redirect vulnerabilities in this package allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the `redirect:` or `redirectAction:` prefix.","references":[{"reference_url":"http://struts.apache.org/docs/s2-017.html","reference_id":"","reference_type":"","scores":[],"url":"http://struts.apache.org/docs/s2-017.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51518?format=json","purl":"pkg:maven/org.apache.struts/struts2-core@2.3.15.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-z6wr-3psx-dbfm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.15.1"}],"aliases":["CVE-2013-2248"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1exe-1vfk-f7bn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43784?format=json","vulnerability_id":"VCID-xpa5-fsb6-ukay","summary":"Code injection in Apache Struts\nThe Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with \"action:\" or \"redirect:\", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.\n\nIn Struts 2 before 2.3.15.1 the information following \"action:\", \"redirect:\" or \"redirectAction:\" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.","references":[{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/90392","reference_id":"","reference_type":"","scores":[],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/90392"},{"reference_url":"https://github.com/apache/struts","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts"},{"reference_url":"https://github.com/apache/struts/commit/3cfe34fefedcf0fdcfcb061c0aea34a715b7de6","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/3cfe34fefedcf0fdcfcb061c0aea34a715b7de6"},{"reference_url":"https://github.com/apache/struts/commit/630e1ba065a8215c4e9ac03bfb09be9d655c2b6e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/630e1ba065a8215c4e9ac03bfb09be9d655c2b6e"},{"reference_url":"https://issues.apache.org/jira/browse/WW-4140","reference_id":"","reference_type":"","scores":[],"url":"https://issues.apache.org/jira/browse/WW-4140"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-2251","reference_id":"","reference_type":"","scores":[],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-2251"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2013-2251","reference_id":"CVE-2013-2251","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2013-2251"},{"reference_url":"https://github.com/advisories/GHSA-47qp-8v9g-39hp","reference_id":"GHSA-47qp-8v9g-39hp","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-47qp-8v9g-39hp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51518?format=json","purl":"pkg:maven/org.apache.struts/struts2-core@2.3.15.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-z6wr-3psx-dbfm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.15.1"}],"aliases":["CVE-2013-2251","GHSA-47qp-8v9g-39hp"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xpa5-fsb6-ukay"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.15.1"}