Description:
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0
to 2.5.29, still some of the tag’s attributes could perform a double evaluation
if a developer applied forced OGNL evaluation by using the %{...} syntax. Using
forced OGNL evaluation on untrusted user input can lead to a Remote Code
Execution and security degradation.
Mitigation:
Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to
Struts 2.5.30 which checks if expression evaluation won’t lead to the double
evaluation.
Please read our Security Bulletin S2-062 for more details.
Credit:
Apache Struts would like to thank Chris McCown for reporting this issue!
References:
https://cwiki.apache.org/confluence/display/WW/S2-062
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
