Lucene search

K
f5F5F5:K24608264
HistoryDec 22, 2020 - 1:45 a.m.

Apache Struts vulnerabilities CVE-2020-17530 and CVE-2021-31805

2020-12-2201:45:00
support.f5.com
178
apache struts
vulnerabilities
cve-2020-17530
cve-2021-31805
ognl evaluation
remote code execution
security degradation
software

EPSS

0.973

Percentile

99.9%

  • CVE-2020-17530
    Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
  • CVE-2021-31805
    The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag's attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{…} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.

Impact

Using a forced Object-Graph Navigation Language (OGNL) evaluation on untrusted user input allows an attacker to perform remote code execution leading to security degradation.