Apache Struts double OGNL evaluation

Added: 11/27/2020
CVE: CVE-2019-0230

Background

Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture.

Struts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities.

Problem

Apache Struts can be forced to use double OGNL evaluation, which could allow a remote attacker to execute arbitrary code by sending a specially crafted request.

Resolution

Upgrade to Struts 2.5.22 or higher.

References

https://cwiki.apache.org/confluence/display/ww/s2-059

Limitations

curl must be installed on the target for this exploit to succeed.

Platforms

Linux

Back to exploit index