oss-sec mailing list archives
Re: CVE Request: Apache Archiva Remote Command Execution 0day
From: security curmudgeon <jericho () attrition org>
Date: Tue, 14 Jan 2014 17:18:24 -0600 (CST)
: Please assign CVE for Apache Archiva 0day: : http://cxsecurity.com/issue/WLB-2014010087
From that link:
Apache Archiva use Apache Struts2:"In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code."
References: http://struts.apache.org/release/2.3.x/docs/s2-016.html ^ All that is CVE-2013-2251.
Current thread:
- CVE Request: Apache Archiva Remote Command Execution 0day Maksymilian A (Jan 14)
- <Possible follow-ups>
- Re: CVE Request: Apache Archiva Remote Command Execution 0day security curmudgeon (Jan 14)
- Re: CVE Request: Apache Archiva Remote Command Execution 0day Maksymilian A (Jan 14)