You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Lukasz Lenart <lu...@apache.org> on 2020/12/08 06:55:04 UTC
[ANN] [SECURITY] Potential RCE when using forced evaluation - CVE-2020-17530
Forced OGNL evaluation, when evaluated on raw user input in tag
attributes, may lead to remote code execution.
Problem
Some of the tag's attributes could perform a double evaluation if a
developer applied forced OGNL evaluation by using the %{...} syntax.
Using forced OGNL evaluation on untrusted user input can lead to a
Remote Code Execution and security degradation.
Solution
Avoid using forced OGNL evaluation on untrusted user input, and/or
upgrade to Struts 2.5.26 which checks if expression evaluation won't
lead to the double evaluation.
Please read our Security Bulletin for more details:
https://cwiki.apache.org/confluence/display/WW/S2-061
This vulnerability was identified by:
- Alvaro Munoz - pwntester at github dot com
- Masato Anzai of Aeye Security Lab, inc.
All developers are strongly advised to perform this action.
Kind regards
--
Ćukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org