Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.8
CVSSv3

CVE-2019-0230

Published: 14/09/2020 Updated: 07/11/2023
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 670
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Apache

Vulnerability Summary

Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache struts

oracle financial services market risk measurement and management 8.0.6

oracle communications policy management 12.5.0

oracle financial services data integration hub 8.0.6

oracle financial services data integration hub 8.0.3

oracle mysql enterprise monitor

Exploits

Exploit DB: Apache Struts 2 Forced Multi OGNL Evaluation
The Apache Struts framework, when forced, performs double evaluation of attribute values assigned to certain tags attributes such as id It is therefore possible to pass in a value to Struts that will be evaluated again when a tag's attributes are rendered With a carefully crafted request, this can lead to remote code execution This vulnerability ...
Exploit DB: Apache Struts 2.5.20 Double OGNL Evaluation
Apache Struts version 2520 double OGNL evaluation exploit ...

Github Repositories

https://github.com/Al1ex/CVE-2019-0230

S2-059(CVE-2019-0230)

What's this This is a Simple test Project for S2-059 which can be used to analysis the detail of this vulnerability How to use Step 1:Use IDEA import this project Step 2:setup tomcat Server Step 3:Use browser access "ip:port/SimpleStruts_war_exploded/S2059?id=%25{8*8}" How to Exploit python2 CVE-2019-0230py

https://github.com/soshewh97/CVE-2019-0230_Struts2S2-059

CVE-2019-0230_Struts2S2-059 How to use Build Struts252-059 Docker docker-compose up -d How To Use python3 pocpy "URL" "shell" Example(PoC): python3 pocpy 127001:8080 "touch /tmp/1234" Example(PoC)-2_Reverse Shell: python3 pocpy 127001:8080 &q

https://github.com/techgyu/WHS

Struts2 S2-059 원격 코드 실행 취약점 (Remote Code Execution Vulnerablity(CVE-2019-0230)) Apache Struts2 프레임워크는 ID 속성과 같은 특정 태그의 속성 값을 2차적으로 분석하므로 공격자가 태그 속성을 나타낼 때 다시 분석될 OGNL 표현을 전달하여 OGNL 표현을 주입할 수 있습니다이로 인해 코드가 원격으로

https://github.com/A2gel/CVE-2019-0230

CVE-2019-0230 Exploit

CVE-2019-0230 CVE-2019-0230 Exploit This is CVE-2019-0230 Exploit Good Lucky!!! :) usage python mainpy -h host -c id example: python mainpy -h wwwpentestcom/indexaction -c whoami testing website Command:whoami output: root 2020/08/13

https://github.com/fengziHK/CVE-2019-0230

CVE-2019-0230 CVE-2019-0230 Exploit This is CVE-2019-0230 Exploit Good Lucky!!! :) usage python mainpy -h host -c id example: python mainpy -h wwwpentestcom/indexaction -c whoami testing website Command:whoami output: root 2020/08/13

https://github.com/PrinceFPF/CVE-2019-0230

CVE-2019-0230 Exploit POC

CVE-2019-0230 CVE-2019-0230 Exploit And POC

https://github.com/ramoncjs3/CVE-2019-0230

CVE-2019-0230 & s2-059 poc.

CVE-2019-0230 CVE-2019-0230 & s2-059 poc

https://github.com/f8al/CVE-2019-0230-PoC

PoC for apache struts 2 vuln cve-2019-0230

CVE-2019-0230 CVE-2019-0230 Exploit This is CVE-2019-0230 Exploit :) usage python3 cve-2019-230py <url or ip> <command> example: # python3 cve-2019-0230-pocpy pentestcom whoami Testing pentestcom! Command being passed for RCE: whoami 2020/10/22/

https://github.com/360quake/papers

Articles accumulated by the 360Quake team.

Papers Articles accumulated by the 360Quake team quake360cn/quake/#/report Title Date 浅析 CobaltStrike钓鱼网站检测 2021-06-11 浅析 Cobalt Strike Team Server扫描 2021-04-15 浅析开源蜜罐识别 2020-12-18 SolarWinds失陷服务器测绘分析报告 2020-12-16 TLS server-side tagging 2020-12-14 利用JARM指纹进行TLS服务端标记

https://github.com/directcyber/playbook

Direct Cyber Proactive Disaster Response Playbook The Why Exploitation of high severity vulnerabilities in internet facing assets leads to the mass deployment of ransomware and extortion based on data exfiltration We have seen this again and again, all the way back from 2017 with EternalBlue to 2023's MOVEit and CitrixBleed vulnerabilities The government and private sect

Recent Articles

Feds seize 'largest ever' haul of crypto-dosh from terrorists – including coins from 'fake' pandemic mask web store
The Register • Shaun Nichols in San Francisco • 17 Aug 2020

Plus: Someone's gunning for Mac developers

In brief The US Department of Justice said a combined operation has led to its largest seizure of terrorist-owned cryptocurrency, taking around $2m (£1.5m) from Hamas’s military wing, al-Qaeda, and Islamic State of Iraq and the Levant (ISIS). In addition to the seized accounts, prosecutors filed indictments against a pair of men based in Turkey who were said to be overseeing the fundraising online. While most of the accounts were funded by straightforward donation pages, asking visitors to co...

Read more...

References

CWE-1321https://cwiki.apache.org/confluence/display/ww/s2-059http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.htmlhttps://launchpad.support.sap.com/#/notes/2982840http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.htmlhttps://www.oracle.com/security-alerts/cpujan2021.htmlhttps://www.oracle.com/security-alerts/cpuApr2021.htmlhttps://www.oracle.com/security-alerts/cpuoct2021.htmlhttps://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3Ehttps://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3Ehttps://nvd.nist.govhttps://www.theregister.co.uk/2020/08/17/in_brief_security/https://github.com/Al1ex/CVE-2019-0230
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2022-38028CVE-2024-32406CVE-2024-25624IMAPCVE-2024-2310CVE-2024-0874CVE-2024-20359XXEremote code execution
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook