Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Jan 2014 17:18:24 -0600 (CST)
From: security curmudgeon <jericho@...rition.org>
To: Maksymilian A <max@...t.cx>
cc: oss-security@...ts.openwall.com
Subject: Re: CVE Request: Apache Archiva Remote Command Execution 0day


: Please assign CVE for Apache Archiva 0day
: 
: http://cxsecurity.com/issue/WLB-2014010087

>From that link:

Apache Archiva use Apache Struts2:
  "In Struts 2 before 2.3.15.1 the information following "action:", 
"redirect:" or "redirectAction:" is not properly sanitized. Since said 
information will be evaluated as OGNL expression against the value stack, 
this introduces the possibility to inject server side code."

References:

http://struts.apache.org/release/2.3.x/docs/s2-016.html



^ All that is CVE-2013-2251.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ