CVE-2013-2251

What is Apache Struts?

Apache Struts 2 is an open-source MVC framework widely used to build enterprise Java web applications. It powers a large fraction of Java-based enterprise portals, banking applications, and government systems. Struts 2's action URL routing interprets special parameter prefixes to redirect requests — a convenience feature that became a vector for remote code execution when the values were processed through the framework's OGNL expression evaluator without proper sanitization.

Overview

CVE-2013-2251 (Apache Struts Security Bulletin S2-016) is an OGNL injection vulnerability in Apache Struts 2's redirectAction: and redirect: parameter prefixes. When a Struts 2 action URL includes a parameter named redirect: or redirectAction:, the framework evaluates the parameter value as an OGNL expression to construct the redirect target. Because OGNL can invoke arbitrary Java methods, this allows a remote unauthenticated attacker to execute arbitrary OS commands on the server simply by including an OGNL expression in a specially crafted URL.

Apache patched this in Struts 2.3.15.1 via security bulletin S2-016.

Affected Versions

Technical Details

Apache Struts 2's URL processing intercepts certain parameter name prefixes and treats them as special directives:

• action: — invoke a named action
• redirect: — issue an HTTP redirect to the specified URL
• redirectAction: — redirect to a named Struts action

The vulnerability is that the value provided to these prefixes is passed directly into an OGNL expression evaluator to resolve the target action or URL. OGNL (Object-Graph Navigation Language) is a full expression language capable of calling arbitrary Java methods, accessing static class members, and executing code via Runtime.exec() or similar mechanisms.

An attacker can pass a parameter like redirectAction:%{...OGNL expression...} in a GET or POST request to any Struts 2 application endpoint. The OGNL expression evaluates in the context of the Struts runtime with full Java execution privileges, resulting in server-side code execution as the web application user.

No authentication required: The exploit works against any accessible Struts 2 action URL. The attacker only needs to reach an endpoint served by a vulnerable Struts 2 application.

Relationship to CVE-2012-0391: This vulnerability is structurally similar to CVE-2012-0391 (S2-009, ExceptionDelegator OGNL injection). Both stem from OGNL evaluation of untrusted input; S2-016 affects a different code path (redirect parameter processing rather than exception handling).

Discovery

The vulnerability was discovered and reported to the Apache Struts security team. Security bulletin S2-016 was published alongside S2-017, which addressed a related issue in the action: prefix. Public proof-of-concept code appeared immediately after disclosure, driving rapid exploitation.

Exploitation Context

CVE-2013-2251 was exploited extensively in the wild against enterprise Java web applications. Struts 2 was deployed in many high-value targets including financial institutions, government agencies, and large enterprises — the same profile of targets that made the later CVE-2017-5638 (Struts remote code execution used in the Equifax breach) so damaging. The trivial one-request exploitation and the large installed base of unpatched Struts 2 applications made this a high-value commodity exploit for years after disclosure.

Remediation

1. Upgrade to Struts 2.3.15.1 or later — patches both S2-016 and S2-017
2. If immediate patching is not possible, consider deploying a WAF rule that blocks requests containing redirect:, redirectAction:, or action: parameter prefixes
3. Run Struts applications with least-privilege OS users — limits damage from successful RCE
4. Review all Struts 2 deployments across the organization; Struts 2 applications are often long-running and may not appear in current asset inventories
5. Upgrade to Struts 2.5.x or later for actively maintained security support