CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2013-2251

CVSS 9.8v3.1pub. 2013-07-20upd. 2026-04-22

Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Archiva

    APP
    Apache
    1.21.2.21.3 – 1.3.8 (bez)
  • Apache Struts

    APP
    Apache
    2.0.0 – 2.3.15
  • Fujitsu Interstage Business Process Manager Analytics

    APP
    Fujitsu
    12.012.1
  • Microsoft Windows Server 2003

    OS
    Microsoft
    wszystkie wersje
  • Microsoft Windows Server 2008

    OS
    Microsoft
    wszystkie wersje
  • Microsoft Windows Server 2012

    OS
    Microsoft
    wszystkie wersje
  • Oracle Siebel Apps E Billing

    APP
    Oracle
    6.16.1.16.2
  • Oracle Solaris

    OS
    Oracle
    11
  • Red Hat Enterprise Linux

    OS
    Redhat
    5.0 – 6.10

CISA KEV — detailsi

Vendori
Apache
Producti
Struts
Added to KEVi
March 25, 2022
Remediation deadline (US Federal)i
April 15, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

Apache Struts allows remote attackers to execute arbitrary Object-Graph Navigation Language (OGNL) expressions.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 15 kwietnia 2022
CWE
References

Related vulnerabilities

CVE-2025-59287CRITICAL9.8⚠ KEVPL ✓ten sam produkt

RCE w Windows Server Update Service (WSUS) — deserializacja danych

CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)

CVE-2021-40438CRITICAL9.0⚠ KEVten sam produkt

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remot...

CVE-2020-17530CRITICAL9.8⚠ KEVten sam produkt

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution....

CVE-2020-14871CRITICAL10.0⚠ KEVten sam produkt

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). Su...