oss-sec mailing list archives

Re: CVE Request: Apache Archiva Remote Command Execution 0day

From: security curmudgeon <jericho () attrition org>
Date: Tue, 14 Jan 2014 17:18:24 -0600 (CST)


: Please assign CVE for Apache Archiva 0day

:: http://cxsecurity.com/issue/WLB-2014010087

From that link:


Apache Archiva use Apache Struts2:

"In Struts 2 before 2.3.15.1 the information following "action:","redirect:" or "redirectAction:" is not properly sanitized. Since saidinformation will be evaluated as OGNL expression against the value stack,this introduces the possibility to inject server side code."


References:

http://struts.apache.org/release/2.3.x/docs/s2-016.html



^ All that is CVE-2013-2251.

Current thread:

CVE Request: Apache Archiva Remote Command Execution 0day Maksymilian A (Jan 14)
- <Possible follow-ups>
- Re: CVE Request: Apache Archiva Remote Command Execution 0day security curmudgeon (Jan 14)
  - Re: CVE Request: Apache Archiva Remote Command Execution 0day Maksymilian A (Jan 14)