Security Advisory - Remote Code Execution vulnerability in Apache Struts 2

ID HUAWEI-SA-20200902-01-STRUTS2
Type huawei
Reporter Huawei Technologies
Modified 2020-09-02T00:00:00


he Apache Struts frameworks, when forced, performs double evaluation of attributes' values assigned to certain tags attributes such as id so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered. With a carefully crafted request, this can lead to Remote Code Execution. The problem only applies when forcing OGNL evaluation inside a Struts tag attribute, when the expression to evaluate references raw, unvalidated input that an attacker is able to directly modify by crafting a corresponding request. This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2019-0230. Huawei has released software updates to fix this vulnerability. This advisory is available at the following link: