Описание
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
A flaw was found in the Apache Struts frameworks. When forced, some of the tag's attributes perform a double evaluation if a developer applies forced OGNL evaluation by using the %{...} syntax. Using a forced OGNL evaluation on untrusted user input allows an attacker to perform remote code execution and security degradation. The highest threat from this vulnerability is to data confidentiality, integrity as well as system availability.
Отчет
Apache Struts2 is not compiled, shipped, used, or enabled in Red Hat products. As such, any CVE against Apache Struts2 does not impact currently supported Red Hat products. This statement was last revised on 1 Sept 2020. Previous statement example: https://bugzilla.redhat.com/show_bug.cgi?id=1469265
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat CodeReady Studio 12 | struts | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 6 | struts | Not affected | ||
| Red Hat JBoss Fuse 6 | struts-core | Not affected | ||
| Red Hat JBoss Fuse Service Works 6 | struts | Not affected | ||
| Red Hat JBoss Operations Network 3 | struts | Not affected |
Показывать по
Дополнительная информация
Статус:
8.1 High
CVSS3
Связанные уязвимости
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
Forced OGNL evaluation, when evaluated on raw user input in tag attrib ...
Уязвимость программной платформы Apache Struts, существующая из-за некорректной обработки выражений Object Graph Navigation Language, позволяющая нарушителю выполнить произвольный код
8.1 High
CVSS3