Apache Struts forced OGNL evaluation incomplete fix

Added: 04/26/2022

Background

Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture.

Struts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities.

Problem

A vulnerability in Apache Struts could allow remote attackers to execute arbitrary commands if the application uses forced OGNL evaluation on user input. This vulnerability exists due to an incomplete fix for CVE-2020-17530.

Resolution

Upgrade to Apache Struts 2.5.30 or higher.

References

https://cwiki.apache.org/confluence/display/WW/S2-062

Back to exploit index