Vulnerabilities > CVE-2020-17530 - Expression Language Injection vulnerability in multiple products

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

apache

oracle

CWE-917

NVD

Published: 2020-12-11

Updated: 2022-06-03

Summary

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

Vulnerable Configurations

Part	Description	Count
Application	Apache Apache Struts 2.0.0 Apache Struts 2.0.1 Apache Struts 2.0.2 Apache Struts 2.0.3 Apache Struts 2.0.4 Apache Struts 2.0.5 Apache Struts 2.0.6 Apache Struts 2.0.7 Apache Struts 2.0.8 Apache Struts 2.0.9 Apache Struts 2.0.10 Apache Struts 2.0.11 Apache Struts 2.0.11.1 Apache Struts 2.0.11.2 Apache Struts 2.0.12 Apache Struts 2.0.13 Apache Struts 2.0.14 Apache Struts 2.1.0 Apache Struts 2.1.1 Apache Struts 2.1.2 Apache Struts 2.1.3 Apache Struts 2.1.4 Apache Struts 2.1.5 Apache Struts 2.1.6 Apache Struts 2.1.7 Apache Struts 2.1.8 Apache Struts 2.1.8.1 Apache Struts 2.2.1 Apache Struts 2.2.1.1 Apache Struts 2.2.3 Apache Struts 2.2.3.1 Apache Struts 2.3.0 Apache Struts 2.3.1 Apache Struts 2.3.1.1 Apache Struts 2.3.1.2 Apache Struts 2.3.3 Apache Struts 2.3.4 Apache Struts 2.3.4.1 Apache Struts 2.3.5 Apache Struts 2.3.6 Apache Struts 2.3.7 Apache Struts 2.3.8 Apache Struts 2.3.9 Apache Struts 2.3.10 Apache Struts 2.3.11 Apache Struts 2.3.12 Apache Struts 2.3.13 Apache Struts 2.3.14 Apache Struts 2.3.14.1 Apache Struts 2.3.14.2 Apache Struts 2.3.14.3 Apache Struts 2.3.15 Apache Struts 2.3.15.1 Apache Struts 2.3.15.2 Apache Struts 2.3.15.3 Apache Struts 2.3.16 Apache Struts 2.3.16.1 Apache Struts 2.3.16.2 Apache Struts 2.3.16.3 Apache Struts 2.3.17 Apache Struts 2.3.19 Apache Struts 2.3.20 Apache Struts 2.3.20.1 Apache Struts 2.3.20.2 Apache Struts 2.3.20.3 Apache Struts 2.3.21 Apache Struts 2.3.22 Apache Struts 2.3.23 Apache Struts 2.3.24 Apache Struts 2.3.24.1 Apache Struts 2.3.24.2 Apache Struts 2.3.24.3 Apache Struts 2.3.25 Apache Struts 2.3.26 Apache Struts 2.3.27 Apache Struts 2.3.28 Apache Struts 2.3.28.1 Apache Struts 2.3.29 Apache Struts 2.3.30 Apache Struts 2.3.31 Apache Struts 2.3.32 Apache Struts 2.3.33 Apache Struts 2.3.34 Apache Struts 2.5 Apache Struts 2.5.0 Apache Struts 2.5.1 Apache Struts 2.5.2 Apache Struts 2.5.3 Apache Struts 2.5.4 Apache Struts 2.5.5 Apache Struts 2.5.6 Apache Struts 2.5.7 Apache Struts 2.5.8 Apache Struts 2.5.9 Apache Struts 2.5.10 Apache Struts 2.5.10.1 Apache Struts 2.5.11 Apache Struts 2.5.12 Apache Struts 2.5.13 Apache Struts 2.5.14 Apache Struts 2.5.14.1 Apache Struts 2.5.15 Apache Struts 2.5.16 Apache Struts 2.5.17 Apache Struts 2.5.18 Apache Struts 2.5.19 Apache Struts 2.5.20 Apache Struts 2.5.21 Apache Struts 2.5.22 Apache Struts 2.5.23 Apache Struts 2.5.24 Apache Struts 2.5.25 Apache Struts 2.5.26 Apache Struts 2.5.27 Apache Struts 2.5.28 Apache Struts 2.5.29	119
Application	Oracle Oracle Business Intelligence 12.2.1.3.0 Oracle Business Intelligence 12.2.1.4.0 Oracle Communications Policy Management 12.5.0 Oracle Financial Services Data Integration HUB 8.0.6 Oracle Financial Services Data Integration HUB 8.0.3 Oracle Hospitality Opera 5 5.6 Oracle Communications Pricing Design Center 12.0.0.3.0 Oracle Mysql Enterprise Monitor 8.0.23 Oracle Communications Diameter Intelligence HUB 8.2.3 Oracle Communications Diameter Intelligence HUB 8.0.0 Oracle Communications Diameter Intelligence HUB 8.2.0 Oracle Communications Diameter Intelligence HUB 8.1.0	12

Common Weakness Enumeration (CWE)

CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Vulnerabilities > CVE-2020-17530 - Expression Language Injection vulnerability in multiple products

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Related news

References