Possible Code Execution Flaw in Apache Struts

2020-12-08 19:51

The Apache Software Foundation has released a security update for Struts 2, to address what is described as a "Possible remote code execution" flaw related to the OGNL technology.

Tracked as CVE-2020-17530, the newly addressed bug resides in "Forced OGNL evaluation, when evaluated on raw user input in tag attributes," according to an Apache advisory.

Remote code execution could be achieved when forced OGNL evaluation is used on untrusted input.

The workaround solution proposed by Apache is simple: developers should make sure that forced OGNL evaluation is not used on untrusted input.

The vulnerability was found to affect Struts 2.0.0 to Struts 2.5.25 and was addressed in Struts 2.5.26, where checks are performed to ensure that expression evaluation won't result in double evaluation.

News URL

http://feedproxy.google.com/~r/Securityweek/~3/D26G_G_pI5k/possible-code-execution-flaw-apache-struts

#apache #apachestruts #codeexecution #struts #CVE-2020-17530

Related Vulnerability

DATE	CVE	VULNERABILITY TITLE	RISK
2020-12-11	CVE-2020-17530	Expression Language Injection vulnerability in multiple products Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. network low complexity apache oracle CWE-917	7.5

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Apache		295	59	844	630	289	1822