Critical Apache Struts RCE vulnerability wasn't fully fixed, patch now

2022-04-13 14:35

Apache has fixed a critical vulnerability in its vastly popular Struts project that was previously believed to have been resolved but, as it turns out, wasn't fully remedied.

Tracked as CVE-2021-31805, the critical vulnerability exists in Struts 2 versions from 2.0.0 up to and including 2.5.29.

Although Apache had resolved the 2020 bug in Struts 2.5.26, researcher Chris McCown later discovered that the applied fix was incomplete.

McCown responsibly reported to Apache that the "Double evaluation" problem could still be reproduced in Struts versions 2.5.26 and above, resulting in the assignment of CVE-2021-31805.

Users are advised to upgrade to Struts 2.5.30 or greater and to avoid using forced OGNL evaluation in the tag's attributes based on untrusted user input.

The Struts framework has had a history of critical vulnerabilities, in particular remote code execution flaws resulting from insecure OGNL use.

News URL

https://www.bleepingcomputer.com/news/security/critical-apache-struts-rce-vulnerability-wasnt-fully-fixed-patch-now/

#apache #apachestruts #critical #patch #RCE #struts #vulnerability #CVE-2021-31805

Related Vulnerability

DATE	CVE	VULNERABILITY TITLE	RISK
2022-04-12	CVE-2021-31805	Expression Language Injection vulnerability in Apache Struts The fix issued for CVE-2020-17530 was incomplete. network low complexity apache CWE-917 critical	9.8

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Apache		283	13	567	725	381	1686

News URL

Related news

Related Vulnerability

Related vendor