CVE-2020-17530: Apache Struts2 Remote Code Execution Vulnerability Alert

On December 8, 2020, Apache Struts2 issued a risk notice for Apache Struts2 code execution vulnerability. The vulnerability number is CVE-2020-17530. The vulnerability level is high risk. In a specific environment, remote attackers can cause arbitrary code execution by constructing malicious OGNL expressions.
https://meterpreter.org/wp-content/uploads/2017/08/Apache-Struts.jpg

Vulnerability Detail

Some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.

Affected version

  • Struts 2.0.0 – Struts 2.5.25

Unaffected version

  • Struts 2.5.26

Solution

In this regard, we recommend that users upgrade struts2 to the latest version in time.