Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Struts
APPApache2.0.0 – 2.5.30 (bez)Oracle Business Intelligence
APPOracle12.2.1.3.012.2.1.4.0Oracle Communications Diameter Intelligence Hub
APPOracle8.0.08.1.08.2.08.2.3Oracle Communications Policy Management
APPOracle12.5.0Oracle Communications Pricing Design Center
APPOracle12.0.0.3.0Oracle Financial Services Data Integration Hub
APPOracle8.0.38.0.6Oracle Hospitality Opera 5
APPOracle5.6Oracle MySQL Enterprise Monitor
APPOracle8.0.23
CISA KEV — detailsi
- Vendori
- Apache ↗
- Producti
- Struts
- Added to KEVi
- November 3, 2021
- Remediation deadline (US Federal)i
- May 3, 2022(overdue)
Apply updates per vendor instructions.
Forced Object-Graph Navigation Language (OGNL) evaluation in Apache Struts, when evaluated on raw user input in tag attributes, can lead to remote code execution.
Related vulnerabilities
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionalit...
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) ...
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache To...
The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field v...
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5....