OGNL Injection Vulnerability in Apache Roller by Apache
CVE-2013-4212

Currently unrated

Key Information:

Vendor: Apache
Status: Roller
Vendor: CVE Published:; 7 December 2013

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 87%

What is CVE-2013-4212?

In Apache Roller versions prior to 5.0.2, certain getText methods in the ActionSupport controller are susceptible to OGNL injection. This vulnerability enables remote attackers to execute arbitrary OGNL (Object-Graph Navigation Language) expressions by crafting inputs to parameters, such as the pageTitle parameter in a specific URL pattern. Successful exploitation could allow an attacker to manipulate the application’s behavior and potentially gain unauthorized access or execute arbitrary code.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

Metasploit exploit module for CVE-2013-4212
Created by Rapid7

References

http://rollerweblogger.org/project/entry/apache_roller_5_0_2

x_refsource_CONFIRM

http://www.osvdb.org/100342

vdb-entryx_refsource_OSVDB

http://www.exploit-db.com/exploits/29859

exploitx_refsource_EXPLOIT-DB

EPSS Score

87% chance of being exploited in the next 30 days.

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 7, 2013
🟡
Public PoC available
Nov 19, 2013
👾
Exploit known to exist
Nov 19, 2013
Vulnerability Reserved
Jun 12, 2013