CVE-2020-17530
unknown
KEV
CVSS v3
—
CVSS v2
—
VIR risk
1.5
Description
Forced Object-Graph Navigation Language (OGNL) evaluation in Apache Struts, when evaluated on raw user input in tag attributes, can lead to remote code execution.
CISA KEV
- Vendor
- Apache
- Product
- Struts
- Due date
- 2022-05-03
Predictions
Exploit likelihood
99%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cisa-kev — https://nvd.nist.gov/vuln/detail/CVE-2020-17530
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2020-17530.html
Exploits
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.apache.struts:struts2-core | >=2.0.0,<2.5.26 | 2.5.26 |
References
- https://www.suse.com/security/cve/CVE-2020-17530.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-17530
- https://cwiki.apache.org/confluence/display/WW/S2-061
- https://github.com/apache/struts
- https://security.netapp.com/advisory/ntap-20210115-0005
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-17530
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- http://jvn.jp/en/jp/JVN43969166/index.html
- http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html
- http://www.openwall.com/lists/oss-security/2022/04/12/6
Verify integrity in audit chain (admin only). AS-IS.