On December 8, 2020, Apache Struts2 issued a risk notice for Apache Struts2 code execution vulnerability. The vulnerability number is CVE-2020-17530. The vulnerability level is high risk. In a specific environment, remote attackers can cause arbitrary code execution by constructing malicious OGNL expressions.
Vulnerability Detail
Some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the
%{...}syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
Affected version
- Struts 2.0.0 – Struts 2.5.25
Unaffected version
- Struts 2.5.26
Solution
In this regard, we recommend that users upgrade struts2 to the latest version in time.
