Web application abuses : Apache Struts Security Update (S2-016, S2-017)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.803838

Categoría: Web application abuses

Título: Apache Struts Security Update (S2-016, S2-017) - Active Check

Resumen: Apache Struts is prone to multiple vulnerabilities.

Descripción: Summary:
Apache Struts is prone to multiple vulnerabilities.

Vulnerability Insight:
The flaws exist due to an improper sanitation of
'action:', 'redirect:', and 'redirectAction:' prefixing parameters before being used in
DefaultActionMapper.

Vulnerability Impact:
Successful exploitation will allow remote attacker to
execute arbitrary arbitrary Java code via OGNL (Object-Graph Navigation Language) or
redirect user to a malicious url.

Affected Software/OS:
Apache Struts 2.0.0 through 2.3.15.

Solution:
Update to version 2.3.15.1 or later.

CVSS Score:
9.3

CVSS Vector:
AV:N/AC:M/Au:N/C:C/I:C/A:C

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2013-2248
61196
http://www.securityfocus.com/bid/61196
64758
http://www.securityfocus.com/bid/64758
http://struts.apache.org/release/2.3.x/docs/s2-017.html
http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html
Common Vulnerability Exposure (CVE) ID: CVE-2013-2251
1029184
http://www.securitytracker.com/id/1029184
1032916
http://www.securitytracker.com/id/1032916
20131013 Apache Software Foundation A Subsite Remote command execution
http://seclists.org/fulldisclosure/2013/Oct/96
20131023 Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2
61189
http://www.securityfocus.com/bid/61189
98445
http://osvdb.org/98445
[oss-security] 20140114 Re: CVE Request: Apache Archiva Remote Command Execution 0day
http://seclists.org/oss-sec/2014/q1/89
apache-archiva-ognl-command-exec(90392)
https://exchange.xforce.ibmcloud.com/vulnerabilities/90392
http://archiva.apache.org/security.html
http://cxsecurity.com/issue/WLB-2014010087
http://packetstormsecurity.com/files/159629/Apache-Struts-2-Remote-Code-Execution.html
http://struts.apache.org/release/2.3.x/docs/s2-016.html
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

Copyright Copyright (C) 2013 Greenbone Networks GmbH

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.803838
Categoría:	Web application abuses
Título:	Apache Struts Security Update (S2-016, S2-017) - Active Check
Resumen:	Apache Struts is prone to multiple vulnerabilities.
Descripción:	Summary: Apache Struts is prone to multiple vulnerabilities. Vulnerability Insight: The flaws exist due to an improper sanitation of 'action:', 'redirect:', and 'redirectAction:' prefixing parameters before being used in DefaultActionMapper. Vulnerability Impact: Successful exploitation will allow remote attacker to execute arbitrary arbitrary Java code via OGNL (Object-Graph Navigation Language) or redirect user to a malicious url. Affected Software/OS: Apache Struts 2.0.0 through 2.3.15. Solution: Update to version 2.3.15.1 or later. CVSS Score: 9.3 CVSS Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2013-2248 61196 http://www.securityfocus.com/bid/61196 64758 http://www.securityfocus.com/bid/64758 http://struts.apache.org/release/2.3.x/docs/s2-017.html http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html Common Vulnerability Exposure (CVE) ID: CVE-2013-2251 1029184 http://www.securitytracker.com/id/1029184 1032916 http://www.securitytracker.com/id/1032916 20131013 Apache Software Foundation A Subsite Remote command execution http://seclists.org/fulldisclosure/2013/Oct/96 20131023 Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2 61189 http://www.securityfocus.com/bid/61189 98445 http://osvdb.org/98445 [oss-security] 20140114 Re: CVE Request: Apache Archiva Remote Command Execution 0day http://seclists.org/oss-sec/2014/q1/89 apache-archiva-ognl-command-exec(90392) https://exchange.xforce.ibmcloud.com/vulnerabilities/90392 http://archiva.apache.org/security.html http://cxsecurity.com/issue/WLB-2014010087 http://packetstormsecurity.com/files/159629/Apache-Struts-2-Remote-Code-Execution.html http://struts.apache.org/release/2.3.x/docs/s2-016.html http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
Copyright	Copyright (C) 2013 Greenbone Networks GmbH