Описание
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
A flaw was found in Apache Struts frameworks. When forced, struts2 performs double evaluation of attributes' values assigned to certain tags attributes such as ID so it is possible to pass a value that will be evaluated again when a tag's attributes will be rendered. With a carefully crafted request, this can lead to Remote Code Execution (RCE). The largest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | struts | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 6 | struts | Not affected | ||
| Red Hat JBoss Fuse Service Works 6 | struts | Not affected | ||
| Red Hat JBoss Operations Network 3 | struts | Not affected | ||
| Red Hat OpenStack Platform 10 (Newton) | opendaylight | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when eval ...
Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Struts
Уязвимость программной платформы Apache Struts, связанная с недостаточным контролем модификации динамически определённых характеристик объекта, позволяющая нарушителю выполнить произвольный код
EPSS
8.1 High
CVSS3