<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Apache Struts 2: CVE-2020-17530: Potential RCE when using forced evaluation
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Lukasz Lenart <lukaszlenart () apache org>
Date: Tue, 8 Dec 2020 07:55:04 +0100
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Forced OGNL evaluation, when evaluated on raw user input in tag
attributes, may lead to remote code execution.
Problem
Some of the tag's attributes could perform a double evaluation if a
developer applied forced OGNL evaluation by using the %{...} syntax.
Using forced OGNL evaluation on untrusted user input can lead to a
Remote Code Execution and security degradation.
Solution
Avoid using forced OGNL evaluation on untrusted user input, and/or
upgrade to Struts 2.5.26 which checks if expression evaluation won't
lead to the double evaluation.
Please read our Security Bulletin for more details:
https://cwiki.apache.org/confluence/display/WW/S2-061
This vulnerability was identified by:
- Alvaro Munoz - pwntester at github dot com
- Masato Anzai of Aeye Security Lab, inc.
All developers are strongly advised to perform this action.
Kind regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
Apache Struts 2: CVE-2020-17530: Potential RCE when using forced evaluation Lukasz Lenart (Dec 08)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->