You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Yasser Zamani <ya...@apache.org> on 2022/04/12 15:15:06 UTC
CVE-2021-31805: Apache Struts: Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE.
Description:
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
Mitigation:
Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to Struts 2.5.30 which checks if expression evaluation won’t lead to the double evaluation.
Please read our Security Bulletin S2-062 for more details.
Credit:
Apache Struts would like to thank Chris McCown for reporting this issue!
References:
https://cwiki.apache.org/confluence/display/WW/S2-062
Re: CVE-2021-31805: Apache Struts: Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE.
Posted by Yasser Zamani <ya...@apache.org>.
It's nothing no bother at all :) thanks to you for your great works!
Best wishes
On 4/13/2022 10:04 AM, Lukasz Lenart wrote:
> Thanks Yasser for taking care of this and being so patient with the
> whole process :)
>
>
> Kind regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> wt., 12 kwi 2022 o 17:15 Yasser Zamani <ya...@apache.org> napisał(a):
>>
>> Description:
>>
>> The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
>>
>> Mitigation:
>>
>> Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to Struts 2.5.30 which checks if expression evaluation won’t lead to the double evaluation.
>>
>> Please read our Security Bulletin S2-062 for more details.
>>
>> Credit:
>>
>> Apache Struts would like to thank Chris McCown for reporting this issue!
>>
>> References:
>>
>> https://cwiki.apache.org/confluence/display/WW/S2-062
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> For additional commands, e-mail: dev-help@struts.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: CVE-2021-31805: Apache Struts: Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE.
Posted by Lukasz Lenart <lu...@apache.org>.
Thanks Yasser for taking care of this and being so patient with the
whole process :)
Kind regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
wt., 12 kwi 2022 o 17:15 Yasser Zamani <ya...@apache.org> napisał(a):
>
> Description:
>
> The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
>
> Mitigation:
>
> Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to Struts 2.5.30 which checks if expression evaluation won’t lead to the double evaluation.
>
> Please read our Security Bulletin S2-062 for more details.
>
> Credit:
>
> Apache Struts would like to thank Chris McCown for reporting this issue!
>
> References:
>
> https://cwiki.apache.org/confluence/display/WW/S2-062
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Fwd: CVE-2021-31805: Apache Struts: Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE.
Posted by Lukasz Lenart <lu...@apache.org>.
---------- Forwarded message ---------
Od: Yasser Zamani <ya...@apache.org>
Date: wt., 12 kwi 2022 o 17:15
Subject: CVE-2021-31805: Apache Struts: Forced OGNL evaluation, when
evaluated on raw not validated user input in tag attributes, may lead
to RCE.
To: <an...@apache.org>, <de...@struts.apache.org>
Description:
The fix issued for CVE-2020-17530 was incomplete. So from Apache
Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could
perform a double evaluation if a developer applied forced OGNL
evaluation by using the %{...} syntax. Using forced OGNL evaluation on
untrusted user input can lead to a Remote Code Execution and security
degradation.
Mitigation:
Avoid using forced OGNL evaluation on untrusted user input, and/or
upgrade to Struts 2.5.30 which checks if expression evaluation won’t
lead to the double evaluation.
Please read our Security Bulletin S2-062 for more details.
Credit:
Apache Struts would like to thank Chris McCown for reporting this issue!
References:
https://cwiki.apache.org/confluence/display/WW/S2-062
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org