ghsa-jc35-q369-45pv
Vulnerability from github
Published
2022-02-09 22:51
Modified
2022-02-08 22:01
Severity
9.8 (Critical) - CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Remote code execution in Apache Struts
Details

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.struts:struts2-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.5.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-17530"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-917",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-09T21:42:05Z",
    "nvd_published_at": "2020-12-11T02:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.",
  "id": "GHSA-jc35-q369-45pv",
  "modified": "2022-02-08T22:01:20Z",
  "published": "2022-02-09T22:51:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17530"
    },
    {
      "type": "WEB",
      "url": "https://cwiki.apache.org/confluence/display/WW/S2-061"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210115-0005"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
    },
    {
      "type": "WEB",
      "url": "http://jvn.jp/en/jp/JVN43969166/index.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/04/12/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Remote code execution in Apache Struts"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.