QID 150354

Date Published: 2021-08-09

QID 150354: Apache Struts 2 Double OGNL Evaluation Vulnerability (CVE-2020-17530)

Apache Struts 2 is an open-source web application framework for developing Java EE web applications. A vulnerability CVE-2020-17530 exists due to use of forced OGNL evaluation on untrusted user input in tag attributes, leading to a Remote Code Execution.

Affected Versions:
Apache Struts 2.0.0 - 2.5.25

QID Detection Logic:
This QID sends POST and GET request along with the payload, which triggers a remote code execution. Successful execution on a Linux system results in contents of shadow file getting detected in the response, whereas on a Windows system a string is echoed using cmd and detected in the response.

A remote attacker could exploit this vulnerability to execute arbitrary code on the targeted system.

CVSS V3 rated as Critical - 9.8 severity.

CVSS V2 rated as High - 7.5 severity.

Solution

Please refer Apache Security Bulletin S2-061 for more details on remediating this vulnerability.

Vendor References

Apache Announcement - struts.apache.org/announce-2020.html#a20201208

CVEs related to QID 150354

CVE-2020-17530 |

Software Advisories

Advisory ID	Software	Component	Link
S2-061			struts.apache.org/announce-2020.html#a20201208

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].