Security Advisory - Remote Code Execution vulnerability in Apache Struts 2

2020-09-02T00:00:00
ID HUAWEI-SA-20200902-01-STRUTS2
Type huawei
Reporter Huawei Technologies
Modified 2020-09-02T00:00:00

Description

he Apache Struts frameworks, when forced, performs double evaluation of attributes' values assigned to certain tags attributes such as id so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered. With a carefully crafted request, this can lead to Remote Code Execution. The problem only applies when forcing OGNL evaluation inside a Struts tag attribute, when the expression to evaluate references raw, unvalidated input that an attacker is able to directly modify by crafting a corresponding request. This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2019-0230. Huawei has released software updates to fix this vulnerability. This advisory is available at the following link: http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200902-01-struts2-en