Security News > 2022 > April > Critical Apache Struts RCE vulnerability wasn't fully fixed, patch now
Apache has fixed a critical vulnerability in its vastly popular Struts project that was previously believed to have been resolved but, as it turns out, wasn't fully remedied.
Tracked as CVE-2021-31805, the critical vulnerability exists in Struts 2 versions from 2.0.0 up to and including 2.5.29.
Although Apache had resolved the 2020 bug in Struts 2.5.26, researcher Chris McCown later discovered that the applied fix was incomplete.
McCown responsibly reported to Apache that the "Double evaluation" problem could still be reproduced in Struts versions 2.5.26 and above, resulting in the assignment of CVE-2021-31805.
Users are advised to upgrade to Struts 2.5.30 or greater and to avoid using forced OGNL evaluation in the tag's attributes based on untrusted user input.
The Struts framework has had a history of critical vulnerabilities, in particular remote code execution flaws resulting from insecure OGNL use.
News URL
Related news
- Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891) (source)
- Critical RCE Flaw in GFI KerioControl Allows Remote Code Execution via CRLF Injection (source)
- Hackers exploit critical Aviatrix Controller RCE flaw in attacks (source)
- Critical SimpleHelp Flaws Allow File Theft, Privilege Escalation, and RCE Attacks (source)
- Critical Flaws in WGS-804HPT Switches Enable RCE and Network Exploitation (source)
- SonicWall Urges Immediate Patch for Critical CVE-2025-23006 Flaw Amid Likely Exploitation (source)
- Cisco fixes ClamAV vulnerability with available PoC and critical Meeting Management flaw (source)
- Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management (source)
- Lightning AI Studio Vulnerability Could've Allowed RCE via Hidden URL Parameter (source)
- Microsoft Patches Critical Azure AI Face Service Vulnerability with CVSS 9.9 Score (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-04-12 | CVE-2021-31805 | Expression Language Injection vulnerability in Apache Struts The fix issued for CVE-2020-17530 was incomplete. | 9.8 |