CRITICAL✓ PATCH🇬🇧 English

CVE-2021-31805

CVSS 9.8v3.1pub. 2022-04-12upd. 2024-11-21

The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Struts

    APP
    Apache
    2.0.0 – 2.5.29
🟢
PATCH DOSTĘPNY
Aktualizacja od producenta gotowa. Wdrożenie w ramach standardowego cyklu.
Tagi
RCE
CWE
Referencje

Powiązane podatności

CVE-2020-17530CRITICAL9.8⚠ KEVten sam produkt

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution....

CVE-2017-9791CRITICAL9.8⚠ KEVten sam produkt

The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field v...

CVE-2017-5638CRITICAL9.8⚠ KEVten sam produkt

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect ex...

CVE-2013-2251CRITICAL9.8⚠ KEVten sam produkt

Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a paramet...

CVE-2012-0391CRITICAL9.8⚠ KEVten sam produkt

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressio...