What is CVE-2013-4212?

CVE-2013-4212 is a vulnerability in Apache Roller, classified under Code Injection. Published 2013-12-07.

Is CVE-2013-4212 known to be exploited?

6 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Apache Roller

CVE-2013-4212

Certain getText methods in the ActionSupport controller in Apache Roller before 5.0.2 allow remote attackers to execute arbitrary OGNL expressions via the first or second parameter, as demonstrated by the pageTitle parameter in the !getPag…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.871 (99.5th percentile) — read the EPSS interpretation.

Affected products

Apache Roller — versions 4.0, 4.0.1, 5.0
N/a — versions n/a

Weakness classification (CWE)

CWE-94 — Code Injection

Public proof-of-concept exploits

References

secalert@redhat.com (x_refsource_CONFIRM, Patch)
100342 (x_refsource_OSVDB, vdb-entry)
29859 (Exploit, exploit, x_refsource_EXPLOIT-DB)
apache-roller-cve20134212-command-exec(89239) (vdb-entry, x_refsource_XF)
55862 (x_refsource_SECUNIA, third-party-advisory, Vendor Advisory)
secalert@redhat.com (x_refsource_MISC)
55877 (x_refsource_SECUNIA, third-party-advisory, Vendor Advisory)

Frequently asked questions

What is CVE-2013-4212?: CVE-2013-4212 is a vulnerability in Apache Roller, classified under Code Injection. Published 2013-12-07.
Is CVE-2013-4212 known to be exploited?: 6 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.