Vulnerability in Apache Struts
CVE-2019-0230
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
EPSS: 0.938 (99.9th percentile) — read the EPSS interpretation.
Affected products
- N/a Apache Struts — versions Apache Struts 2.0.0 to 2.5.20
Public proof-of-concept exploits
References
- cwiki.apache.org/confluence/display/ww/s2-059 (x_refsource_MISC)
- www.oracle.com/security-alerts/cpujan2021.html (x_refsource_MISC)
- packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluatio… (x_refsource_MISC)
- launchpad.support.sap.com/ (x_refsource_MISC)
- packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluati… (x_refsource_MISC)
- [announce] 20210125 Apache Software Foundation Security Report: 2020 (mailing-list, x_refsource_MLIST)
- [announce] 20210223 Re: Apache Software Foundation Security Report: 2020 (mailing-list, x_refsource_MLIST)
- www.oracle.com/security-alerts/cpuApr2021.html (x_refsource_MISC)
- www.oracle.com/security-alerts/cpuoct2021.html (x_refsource_MISC)
Frequently asked questions
- What is CVE-2019-0230?
- CVE-2019-0230 is a vulnerability in Apache Struts. Published 2020-09-14.
- Is CVE-2019-0230 known to be exploited?
- 56 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.