Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apache struts |
||
oracle business intelligence 12.2.1.3.0 |
||
oracle business intelligence 12.2.1.4.0 |
||
oracle communications policy management 12.5.0 |
||
oracle financial services data integration hub 8.0.6 |
||
oracle financial services data integration hub 8.0.3 |
||
oracle hospitality opera 5 5.6 |
||
oracle communications pricing design center 12.0.0.3.0 |
||
oracle mysql enterprise monitor 8.0.23 |
||
oracle communications diameter intelligence hub 8.2.3 |
||
oracle communications diameter intelligence hub 8.0.0 |
||
oracle communications diameter intelligence hub 8.2.0 |
||
oracle communications diameter intelligence hub 8.1.0 |
Get our weekly newsletter But this time the patch should do the trick
Apache has taken another shot at fixing a critical remote code execution vulnerability in its Struts 2 framework for Java applications – because the first patch, issued in 2020, didn't fully do the trick. The security flaw exists in Struts versions 2.0.0 to 2.5.29, and an attacker could exploit it to gain control of a vulnerable system. Uncle Sam's CISA has urged organizations to upgrade to a patched version, eg 2.5.30, as soon as possible. Struts is widely used, and this new-old security flaw...