Fwd: CVE-2021-31805: Apache Struts: Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE.

[Lukasz Lenart <lu...@apache.org>]

---------- Forwarded message ---------
Od: Yasser Zamani <ya...@apache.org>
Date: wt., 12 kwi 2022 o 17:15
Subject: CVE-2021-31805: Apache Struts: Forced OGNL evaluation, when
evaluated on raw not validated user input in tag attributes, may lead
to RCE.
To: <an...@apache.org>, <de...@struts.apache.org>


Description:

The fix issued for CVE-2020-17530 was incomplete. So from Apache
Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could
perform a double evaluation if a developer applied forced OGNL
evaluation by using the %{...} syntax. Using forced OGNL evaluation on
untrusted user input can lead to a Remote Code Execution and security
degradation.

Mitigation:

Avoid using forced OGNL evaluation on untrusted user input, and/or
upgrade to Struts 2.5.30 which checks if expression evaluation won’t
lead to the double evaluation.

Please read our Security Bulletin S2-062 for more details.

Credit:

Apache Struts would like to thank Chris McCown for reporting this issue!

References:

https://cwiki.apache.org/confluence/display/WW/S2-062


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org