CVE-2013-4212

Currently unrated

Key Information:

Vendor: Apache
Status: Roller
Vendor: CVE Published:; 7 December 2013

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 94%

Summary

Certain getText methods in the ActionSupport controller in Apache Roller before 5.0.2 allow remote attackers to execute arbitrary OGNL expressions via the first or second parameter, as demonstrated by the pageTitle parameter in the !getPageTitle sub-URL to roller-ui/login.rol, which uses a subclass of UIAction, aka "OGNL Injection."

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

Metasploit exploit module for CVE-2013-4212
Created by Rapid7

References

http://rollerweblogger.org/project/entry/apache_roller_5_0_2

x_refsource_CONFIRM

http://www.osvdb.org/100342

vdb-entryx_refsource_OSVDB

http://www.exploit-db.com/exploits/29859

exploitx_refsource_EXPLOIT-DB

EPSS Score

94% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Dec 7, 2013
🟡
Public PoC available
Nov 19, 2013
👾
Exploit known to exist
Nov 19, 2013
Vulnerability Reserved
Jun 12, 2013