CVE-2013-2115

Name of the Vulnerable Software and Affected Versions Apache Struts versions prior to 2.3.14.2

Description The issue is related to incorrect code generation management when handling the includeParams attribute, allowing a remote attacker to execute arbitrary code by sending a specially crafted request. This can lead to remote command execution, session access and manipulation, and XSS attacks. The includeParams attribute in the s:url and s:a tags is used to determine whether to include HTTP request parameters or not, with allowed values being none, get, or all. A specially crafted request parameter can inject arbitrary OGNL code into the stack, which is then evaluated as an OGNL expression, enabling method execution and bypassing Struts and OGNL library protections.

Recommendations For Apache Struts versions prior to 2.3.14.2, update to version 2.3.14.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the includeParams attribute in the s:url and s:a tags to minimize the risk of exploitation. Avoid using the all value for the includeParams attribute, and instead use none or get to limit the inclusion of request parameters.