Vulnerability in Apache Software Foundation Struts
CVE-2020-17530
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
EPSS: 0.944 (100.0th percentile) — read the EPSS interpretation.
Affected products
- Apache Software Foundation Struts — versions Struts 2.0.0 - Struts 2.5.25
CISA KEV (Known Exploited Vulnerabilities)
This CVE is on the CISA KEV catalog, added on . CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.
BOD 22-01 due date: .
Required action: Apply updates per vendor instructions.
Public proof-of-concept exploits
References
- cwiki.apache.org/confluence/display/WW/S2-061 (x_refsource_CONFIRM)
- JVN#43969166 (third-party-advisory, x_refsource_JVN)
- www.oracle.com/security-alerts/cpujan2021.html (x_refsource_MISC)
- packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluati… (x_refsource_MISC)
- security.netapp.com/advisory/ntap-20210115-0005/ (x_refsource_CONFIRM)
- www.oracle.com/security-alerts/cpuApr2021.html (x_refsource_MISC)
- www.oracle.com//security-alerts/cpujul2021.html (x_refsource_MISC)
- www.oracle.com/security-alerts/cpuoct2021.html (x_refsource_MISC)
- www.oracle.com/security-alerts/cpujan2022.html (x_refsource_MISC)
- [oss-security] 20220412 CVE-2021-31805: Apache Struts: Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE. (mailing-list, x_refsource_MLIST)
Frequently asked questions
- What is CVE-2020-17530?
- CVE-2020-17530 is a vulnerability in Apache Software Foundation Struts. Published 2020-12-11.
- Is CVE-2020-17530 known to be exploited?
- Yes. CVE-2020-17530 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2021-11-03), indicating it is being actively exploited. 88 public proof-of-concept repositories are indexed.