What is CVE-2013-1965?

CVE-2013-1965 is a vulnerability in Apache Struts, classified under Code Injection. Published 2013-07-10.

Is CVE-2013-1965 known to be exploited?

23 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Apache Struts

CVE-2013-1965

Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.918 (99.7th percentile) — read the EPSS interpretation.

Affected products

Apache Struts
Apache Struts2-showcase
N/a — versions n/a

Weakness classification (CWE)

CWE-94 — Code Injection

Public proof-of-concept exploits

cinno/CVE-2013-1965
0day666/Vulnerability-verification
20142995/nuclei-templates
20142995/pocsuite3
ARPSyndicate/cvemon
ARPSyndicate/kenzer-templates
CrackerCat/myhktools
Elsfa7-110/kenzer-templates
GhostTroops/myhktools
SexyBeast233/SecBooks

References

secalert@redhat.com (x_refsource_CONFIRM, Vendor Advisory)
secalert@redhat.com (VDB Entry, Third Party Advisory, x_refsource_MISC)
60082 (Third Party Advisory, vdb-entry, x_refsource_BID)

Frequently asked questions

What is CVE-2013-1965?: CVE-2013-1965 is a vulnerability in Apache Struts, classified under Code Injection. Published 2013-07-10.
Is CVE-2013-1965 known to be exploited?: 23 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.