ID CVE-2013-4316
Summary Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.
References
Vulnerable Configurations
  • Apache Software Foundation Struts 2.3.8
    cpe:2.3:a:apache:struts:2.3.8
  • Apache Software Foundation Struts 2.3.7
    cpe:2.3:a:apache:struts:2.3.7
  • Apache Software Foundation Struts 2.3.4.1
    cpe:2.3:a:apache:struts:2.3.4.1
  • Apache Software Foundation Struts 2.3.4
    cpe:2.3:a:apache:struts:2.3.4
  • Apache Software Foundation Struts 2.3.3
    cpe:2.3:a:apache:struts:2.3.3
  • Apache Software Foundation Struts 2.3.15
    cpe:2.3:a:apache:struts:2.3.15
  • Apache Software Foundation Struts 2.3.14.3
    cpe:2.3:a:apache:struts:2.3.14.3
  • Apache Software Foundation Struts 2.3.14.2
    cpe:2.3:a:apache:struts:2.3.14.2
  • Apache Software Foundation Struts 2.3.14.1
    cpe:2.3:a:apache:struts:2.3.14.1
  • Apache Software Foundation Struts 2.3.14
    cpe:2.3:a:apache:struts:2.3.14
  • Apache Software Foundation Struts 2.3.12
    cpe:2.3:a:apache:struts:2.3.12
  • Apache Software Foundation Struts 2.3.1.2
    cpe:2.3:a:apache:struts:2.3.1.2
  • Apache Software Foundation Struts 2.3.1.1
    cpe:2.3:a:apache:struts:2.3.1.1
  • Apache Software Foundation Struts 2.3.1
    cpe:2.3:a:apache:struts:2.3.1
  • Apache Software Foundation Struts 2.2.3.1
    cpe:2.3:a:apache:struts:2.2.3.1
  • Apache Software Foundation Struts 2.2.3
    cpe:2.3:a:apache:struts:2.2.3
  • Apache Software Foundation Struts 2.2.1.1
    cpe:2.3:a:apache:struts:2.2.1.1
  • Apache Software Foundation Struts 2.2.1
    cpe:2.3:a:apache:struts:2.2.1
  • Apache Software Foundation Struts 2.1.8.1
    cpe:2.3:a:apache:struts:2.1.8.1
  • Apache Software Foundation Struts 2.1.8
    cpe:2.3:a:apache:struts:2.1.8
  • Apache Software Foundation Struts 2.1.6
    cpe:2.3:a:apache:struts:2.1.6
  • Apache Software Foundation Struts 2.1.5
    cpe:2.3:a:apache:struts:2.1.5
  • Apache Software Foundation Struts 2.1.4
    cpe:2.3:a:apache:struts:2.1.4
  • Apache Software Foundation Struts 2.1.3
    cpe:2.3:a:apache:struts:2.1.3
  • Apache Software Foundation Struts 2.1.2
    cpe:2.3:a:apache:struts:2.1.2
  • Apache Software Foundation Struts 2.1.1
    cpe:2.3:a:apache:struts:2.1.1
  • Apache Software Foundation Struts 2.1.0
    cpe:2.3:a:apache:struts:2.1.0
  • Apache Software Foundation Struts 2.0.9
    cpe:2.3:a:apache:struts:2.0.9
  • Apache Software Foundation Struts 2.0.8
    cpe:2.3:a:apache:struts:2.0.8
  • Apache Software Foundation Struts 2.0.7
    cpe:2.3:a:apache:struts:2.0.7
  • Apache Software Foundation Struts 2.0.6
    cpe:2.3:a:apache:struts:2.0.6
  • Apache Software Foundation Struts 2.0.5
    cpe:2.3:a:apache:struts:2.0.5
  • Apache Software Foundation Struts 2.0.4
    cpe:2.3:a:apache:struts:2.0.4
  • Apache Software Foundation Struts 2.0.3
    cpe:2.3:a:apache:struts:2.0.3
  • Apache Software Foundation Struts 2.0.2
    cpe:2.3:a:apache:struts:2.0.2
  • Apache Software Foundation Struts 2.0.14
    cpe:2.3:a:apache:struts:2.0.14
  • Apache Software Foundation Struts 2.0.13
    cpe:2.3:a:apache:struts:2.0.13
  • Apache Software Foundation Struts 2.0.12
    cpe:2.3:a:apache:struts:2.0.12
  • Apache Software Foundation Struts 2.0.11.2
    cpe:2.3:a:apache:struts:2.0.11.2
  • Apache Software Foundation Struts 2.0.11.1
    cpe:2.3:a:apache:struts:2.0.11.1
  • Apache Software Foundation Struts 2.0.11
    cpe:2.3:a:apache:struts:2.0.11
  • Apache Software Foundation Struts 2.0.10
    cpe:2.3:a:apache:struts:2.0.10
  • Apache Software Foundation Struts 2.0.1
    cpe:2.3:a:apache:struts:2.0.1
  • Apache Software Foundation Struts 2.0.0
    cpe:2.3:a:apache:struts:2.0.0
  • Apache Software Foundation Struts 2.3.15.1
    cpe:2.3:a:apache:struts:2.3.15.1
  • cpe:2.3:a:oracle:webcenter_sites:11.1.1.6.1
    cpe:2.3:a:oracle:webcenter_sites:11.1.1.6.1
  • cpe:2.3:a:oracle:flexcube_private_banking:3.0
    cpe:2.3:a:oracle:flexcube_private_banking:3.0
  • cpe:2.3:a:oracle:flexcube_private_banking:12.0.2
    cpe:2.3:a:oracle:flexcube_private_banking:12.0.2
  • cpe:2.3:a:oracle:flexcube_private_banking:12.0.1
    cpe:2.3:a:oracle:flexcube_private_banking:12.0.1
  • cpe:2.3:a:oracle:flexcube_private_banking:2.0
    cpe:2.3:a:oracle:flexcube_private_banking:2.0
  • cpe:2.3:a:oracle:flexcube_private_banking:2.0.1
    cpe:2.3:a:oracle:flexcube_private_banking:2.0.1
  • cpe:2.3:a:oracle:flexcube_private_banking:1.7
    cpe:2.3:a:oracle:flexcube_private_banking:1.7
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:3.0.4
    cpe:2.3:a:oracle:mysql_enterprise_monitor:3.0.4
  • cpe:2.3:a:oracle:flexcube_private_banking:2.2.0.1
    cpe:2.3:a:oracle:flexcube_private_banking:2.2.0.1
  • cpe:2.3:a:oracle:mysql_enterprise_monitor:2.3.14
    cpe:2.3:a:oracle:mysql_enterprise_monitor:2.3.14
  • Oracle Webcenter Sites 11.1.1.8.0
    cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0
CVSS
Base: 10.0 (as of 07-12-2016 - 10:19)
Impact:
Exploitability:
CWE CWE-16
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family CGI abuses
    NASL id STRUTS_2_3_15_2.NASL
    description The remote web application appears to use Struts 2, a web framework used for creating Java web applications. The version of Struts 2 in use is affected by a security constraint bypass vulnerability due to a flaw in the action mapping mechanism. Under certain unspecified conditions, an attacker could exploit this issue to bypass security constraints. Note that this version of Struts 2 is known to have Dynamic Method Invocation (DMI) enabled by default. This can expose Struts 2 to additional vulnerabilities so it is recommended that DMI be disabled. (CVE-2013-4316) Note that this plugin will only report the first vulnerable instance of a Struts 2 application.
    last seen 2019-02-23
    modified 2019-02-22
    plugin id 70168
    published 2013-09-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70168
    title Apache Struts 2 'action:' Parameter Prefix Security Constraint Bypass
  • NASL family CGI abuses
    NASL id MYSQL_ENTERPRISE_MONITOR_2_3_14.NASL
    description According to its self-reported version, the MySQL Enterprise Monitor running on the remote host is affected by the multiple vulnerabilities in the bundled version of Apache Struts : - Input validation errors exist that allows the execution of arbitrary Object-Graph Navigation Language (OGNL) expressions via specially crafted parameters to the DefaultActionMapper. (CVE-2013-2251) - Multiple unspecified vulnerabilities exist related to dynamic method invocation being enabled by default. (CVE-2013-4316)
    last seen 2019-02-21
    modified 2018-06-14
    plugin id 83292
    published 2015-05-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83292
    title MySQL Enterprise Monitor < 2.3.14 Apache Struts Multiple Vulnerabilities
  • NASL family Misc.
    NASL id STRUTS_2_3_15_2_LOCAL.NASL
    description The version of Apache Struts running on the remote host is 2.x prior to 2.3.15.2. It, therefore, is affected by multiple Dynamic Method Invocation (DMI) vulnerabilities as DMI is enabled by default. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2019-02-15
    plugin id 117402
    published 2018-09-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117402
    title Apache Struts 2.x < 2.3.15.2 Dynamic Method Invocation Multiple Vulnerabilities (S2-019)
  • NASL family CGI abuses
    NASL id MYSQL_ENTERPRISE_MONITOR_3_0_5.NASL
    description According to its self-reported version, the MySQL Enterprise Monitor running on the remote host is affected by multiple unspecified vulnerabilities related to dynamic method invocation (DMI) in the bundled version of Apache Struts.
    last seen 2019-02-21
    modified 2018-06-13
    plugin id 83297
    published 2015-05-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83297
    title MySQL Enterprise Monitor 3.0.x < 3.0.5 Apache Struts DMI Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_LIBMYSQL55CLIENT18-140527.NASL
    description MySQL was updated to version 5.5.37 to address various security issues. More information is available at http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.h tml#AppendixMSQL and http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.h tml#AppendixMSQL .
    last seen 2019-02-21
    modified 2014-06-07
    plugin id 74373
    published 2014-06-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74373
    title SuSE 11.3 Security Update : MySQL (SAT Patch Number 9303)
refmap via4
bid 64758
bugtraq 20130921 [ANN] Struts 2.3.15.2 GA release available - security fix
confirm
sectrack 1029078
Last major update 07-12-2016 - 12:34
Published 30-09-2013 - 17:55
Back to Top