{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43784?format=json","vulnerability_id":"VCID-xpa5-fsb6-ukay","summary":"Code injection in Apache Struts\nThe Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with \"action:\" or \"redirect:\", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.\n\nIn Struts 2 before 2.3.15.1 the information following \"action:\", \"redirect:\" or \"redirectAction:\" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.","aliases":[{"alias":"CVE-2013-2251"},{"alias":"GHSA-47qp-8v9g-39hp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51518?format=json","purl":"pkg:maven/org.apache.struts/struts2-core@2.3.15.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-z6wr-3psx-dbfm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.15.1"}],"affected_packages":[],"references":[{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/90392","reference_id":"","reference_type":"","scores":[],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/90392"},{"reference_url":"https://github.com/apache/struts","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts"},{"reference_url":"https://github.com/apache/struts/commit/3cfe34fefedcf0fdcfcb061c0aea34a715b7de6","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/3cfe34fefedcf0fdcfcb061c0aea34a715b7de6"},{"reference_url":"https://github.com/apache/struts/commit/630e1ba065a8215c4e9ac03bfb09be9d655c2b6e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/630e1ba065a8215c4e9ac03bfb09be9d655c2b6e"},{"reference_url":"https://issues.apache.org/jira/browse/WW-4140","reference_id":"","reference_type":"","scores":[],"url":"https://issues.apache.org/jira/browse/WW-4140"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-2251","reference_id":"","reference_type":"","scores":[],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-2251"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2013-2251","reference_id":"CVE-2013-2251","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2013-2251"},{"reference_url":"https://github.com/advisories/GHSA-47qp-8v9g-39hp","reference_id":"GHSA-47qp-8v9g-39hp","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-47qp-8v9g-39hp"}],"weaknesses":[{"cwe_id":20,"name":"Improper Input Validation","description":"The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly."},{"cwe_id":74,"name":"Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')","description":"The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xpa5-fsb6-ukay"}