Vulnslist

Cisco vulnerabilities by product, model, software, and advisory.

Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products

cisco-sa-20131023-struts2 · Critical · Published · Updated

Multiple Cisco products include an implementation of the Apache Struts 2 component that is affected by a remote command execution vulnerability. The vulnerability is due to insufficient sanitization of user-supplied input. An attacker could exploit this vulnerability by sending crafted requests consisting of Object-Graph Navigation Language (OGNL) expressions to an affected system. An exploit could allow the attacker to execute arbitrary code on the targeted system. Cisco has released software updates that address this vulnerability for all the affected products except Cisco Business Edition 3000. Cisco Business Edition 3000 customers should contact their Cisco representative for available options. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2

Cisco advisory · CSAF JSON

Workarounds

There is no workaround that mitigates this vulnerability.

CVEsCVE-2013-2251
Cisco Bug IDsCSCui22841, CSCui33268, CSCui40582, CSCui48757, CSCui51516
CVSS ScoreBase 9.0
Base 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
Base 4.0 AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:OF/RC:C
Product Names From Source
Cisco Unified Contact Center Enterprise, Cisco Identity Services Engine Software, Cisco Business Edition 3000 Software, Cisco Unified SIP Proxy, Cisco MXE 3500 (Media Experience Engine)

Related Products

Product CVE Evidence
Cisco Unified SIP Proxy CVE-2013-2251 Cisco OpenVuln
Cisco Unified Contact Center Enterprise CVE-2013-2251 Cisco OpenVuln
Cisco Unified Contact Center CVE-2013-2251 Cisco OpenVuln
Cisco MXE 3500 (Media Experience Engine) CVE-2013-2251 Cisco OpenVuln
Cisco Identity Services Engine Software CVE-2013-2251 Cisco OpenVuln
Cisco Business Edition 3000 Software CVE-2013-2251 Cisco OpenVuln