Apache Struts forced OGNL evaluation

Added: 02/03/2021

Background

Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture.

Struts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities.

Problem

A vulnerability in Apache Struts could allow remote attackers to execute arbitrary commands if the application uses forced OGNL evaluation on user input.

Resolution

Upgrade to Apache Struts 2.5.26 or higher.

References

https://cwiki.apache.org/confluence/display/WW/S2-061

Back to exploit index