CVE-2020-17530
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
CVE-2021-31805
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag's attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{…} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.

Impact

Using a forced Object-Graph Navigation Language (OGNL) evaluation on untrusted user input allows an attacker to perform remote code execution leading to security degradation.

CPENameOperatorVersion
big-ip (aam)le15.1.5

CPE	Name	Operator	Version
	big-ip (aam)	le	15.1.5

ibm 29

prion 4

osv 8

openvas 6

nessus 9

github 5

ubuntucve 4

nuclei 3

attackerkb 3

veracode 4

cve 4

redhatcve 4

zdt 2

metasploit 1

packetstorm 2

f5 1

cisa 2

atlassian 5

threatpost 1

githubexploit 17

cnvd 1

checkpoint_advisories 2

qualysblog 3

cisa_kev 1

saint 5

jvn 2

huawei 1

thn 2

rapid7blog 1

exploitdb 1

kitploit 1

oracle 9

ibm

Security Bulletin: Multiple Vulnerabilities in Apache Struts Affect IBM eDiscovery Manager

2023-07-12 10:00:46

Security Bulletin: Apache Struts (Publicly disclosed vulnerability) affects Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections

2020-10-28 19:08:30

Security Bulletin: Vulnerabilities in Apache Struts affect IBM Tivoli Application Dependency Discovery Manager.

2021-04-13 13:33:14

prion

Remote code execution

2022-04-12 16:15:00

Remote code execution

2020-12-11 02:15:00

Design/Logic Flaw

2020-09-14 17:15:00

osv

Expression Language Injection in Apache Struts

2022-04-13 00:00:30

CVE-2021-31805

2022-04-12 16:15:08

CVE-2020-17530

2020-12-11 02:15:10

openvas

Apache Struts Security Update (S2-062) - Active Check

2022-05-04 00:00:00

Apache Struts Security Update (S2-062) - Version Check

2022-04-13 00:00:00

Apache Struts 2.x < 2.5.22 Multiple Vulnerabilities (S2-059, S2-060) - Linux

2020-08-17 00:00:00

nessus

Apache Struts 2.0.0 < 2.5.30 Possible Remote Code Execution vulnerability (S2-062)

2022-04-12 00:00:00

F5 Networks BIG-IP : Apache Struts vulnerabilities (K24608264)

2023-11-03 00:00:00

F5 Networks BIG-IP : Apache Struts vulnerabilities (K35226442)

2023-11-03 00:00:00

github

Expression Language Injection in Apache Struts

2022-04-13 00:00:30

Remote code execution in Apache Struts

2022-02-09 22:51:56

Improper Preservation of Permissions in Apache Struts

2022-05-24 17:28:11

ubuntucve

CVE-2021-31805

2022-04-12 00:00:00

CVE-2020-17530

2020-12-11 00:00:00

CVE-2019-0233

2020-09-14 00:00:00

nuclei

Apache Struts2 S2-062 - Remote Code Execution

2022-04-18 11:08:19

Apache Struts 2.0.0-2.5.25 - Remote Code Execution

2021-01-27 18:47:58

Apache Struts <=2.5.20 - Remote Code Execution

2021-03-18 16:04:40

attackerkb

CVE-2021-31805

2022-04-12 00:00:00

CVE-2020-17530

2020-12-11 00:00:00

CVE-2019-0230

2020-09-14 00:00:00

veracode

Remote Code Execution (RCE)

2022-04-13 04:46:59

Remote Code Execution

2020-12-09 05:42:42

Denial Of Service (DoS)

2020-08-14 01:44:26

cve

CVE-2021-31805

2022-04-12 16:15:00

CVE-2020-17530

2020-12-11 02:15:00

CVE-2019-0233

2020-09-14 17:15:00

redhatcve

CVE-2021-31805

2022-04-13 06:28:32

CVE-2020-17530

2020-12-08 19:34:44

CVE-2019-0233

2020-08-18 19:29:38

zdt

Apache Struts 2 Forced Multi OGNL Evaluation Exploit

2020-12-24 00:00:00

Apache Struts 2.5.20 - Double OGNL evaluation Exploit

2020-11-17 00:00:00

metasploit

Apache Struts 2 Forced Multi OGNL Evaluation

2020-12-16 00:17:35

packetstorm

Apache Struts 2 Forced Multi OGNL Evaluation

2020-12-24 00:00:00

Apache Struts 2.5.20 Double OGNL Evaluation

2020-11-17 00:00:00

K35226442 : Apache Struts vulnerabilities CVE-2019-0233 and CVE-2019-0230

2020-09-11 00:00:00

cisa

Apache Releases Security Advisory for Struts 2

2020-08-14 00:00:00

Apache Releases Security Update for Apache Struts 2

2020-12-08 00:00:00

atlassian

Struts 2 CVE-2019-0230 and CVE-2019-0233 impact on Confluence

2020-08-18 13:48:36

Update Apache Struts 2 to avoid CVE-2020-17530

2021-02-22 11:35:48

Update Apache Struts 2 to avoid CVE-2020-17530

2021-02-22 11:35:48

threatpost

PoC Exploit Targeting Apache Struts Surfaces on GitHub

2020-08-14 21:20:01

githubexploit

Exploit for Expression Language Injection in Apache Struts

2022-07-10 14:48:52

Exploit for Expression Language Injection in Apache Struts

2022-04-15 04:23:44

Exploit for Expression Language Injection in Apache Struts

2022-04-15 16:09:52

cnvd

Apache Struts Remote Code Execution Vulnerability (CNVD-2023-02478)

2022-04-15 00:00:00

checkpoint_advisories

Apache Struts Remote Code Execution (CVE-2021-31805)

2022-05-02 00:00:00

Apache Struts Remote Code Execution (CVE-2020-17530)

2020-12-21 00:00:00

qualysblog

Apache Struts 2 Double OGNL Evaluation Vulnerability (CVE-2020-17530)

2021-09-21 14:40:00

Identify Server-Side Attacks Using Qualys Periscope

2022-12-01 23:11:35

Managing CISA Known Exploited Vulnerabilities with Qualys VMDR

2022-02-23 05:39:00

cisa_kev

Apache Struts Remote Code Execution Vulnerability

2021-11-03 00:00:00

saint

Apache Struts forced OGNL evaluation incomplete fix

2022-04-26 00:00:00

Apache Struts forced OGNL evaluation incomplete fix

2022-04-26 00:00:00

Apache Struts double OGNL evaluation

2020-11-27 00:00:00

jvn

JVN#43969166: Apache Struts 2 vulnerable to remote code execution (S2-061)

2020-12-11 00:00:00

JVN#50890770: Apache Struts 2 vulnerable to denial-of-service (DoS)

2020-08-25 00:00:00

huawei

Security Advisory - Remote Code Execution vulnerability in Apache Struts2

2020-09-02 00:00:00

thn

Multiple Campaigns Exploit VMware Vulnerability to Deploy Crypto Miners and Ransomware

2022-10-21 14:56:00

Top 15 Vulnerabilities Attackers Exploited Millions of Times to Hack Linux Systems

2021-08-23 13:27:00

rapid7blog

Metasploit Wrap-Up

2021-01-08 19:54:36

exploitdb

Apache Struts 2.5.20 - Double OGNL evaluation

2020-11-17 00:00:00

kitploit

Vulmap - Web Vulnerability Scanning And Verification Tools

2020-12-25 11:30:00

oracle

Oracle Critical Patch Update Advisory - January 2021

2021-01-19 00:00:00

Oracle Critical Patch Update Advisory - April 2021

2021-04-20 00:00:00

Oracle Critical Patch Update Advisory - October 2021

2021-10-19 00:00:00

Products

Security Intelligence
Non-intrusive assessment
Developers SDK
Windows scanner
Linux scanner
Perimeter control tool
MSSP

Database

Vulnerabilities
Exploits
IOC
Security News
BugBounty
Popular
Wild Exploited
Top Vulnerabilities

Tools

Linux Security Scanner
API integration
Subscriptions
Plugins
Manual Audit

Learn More

Stats
API
Docs
Api-keys
License
Pricing
Glossary
FAQ

Company

Blog
Contacts
About Us
OpenSource
EULA
Brand Guideline
Privacy Policy

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please contact us. Using Vulners services you are accepting Vulners services end-user license agreement

@2024 Vulners Inc

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

Related for F5:K24608264