9.8
CVE-2020-17530
- EPSS 95.92%
- Veröffentlicht 11.12.2020 02:15:10
- Zuletzt bearbeitet 27.10.2025 17:37:20
- Quelle security@apache.org
- CVE-Watchlists
- Unerledigt
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Oracle ≫ Business Intelligence Version12.2.1.3.0 SwEditionenterprise
Oracle ≫ Business Intelligence Version12.2.1.4.0 SwEditionenterprise
Oracle ≫ Communications Diameter Intelligence Hub Version8.0.0
Oracle ≫ Communications Diameter Intelligence Hub Version8.1.0
Oracle ≫ Communications Diameter Intelligence Hub Version8.2.0
Oracle ≫ Communications Diameter Intelligence Hub Version8.2.3
Oracle ≫ Communications Policy Management Version12.5.0
Oracle ≫ Communications Pricing Design Center Version12.0.0.3.0
Oracle ≫ Financial Services Data Integration Hub Version8.0.3
Oracle ≫ Financial Services Data Integration Hub Version8.0.6
Oracle ≫ Hospitality Opera 5 Version5.6
Oracle ≫ Mysql Enterprise Monitor Version8.0.23
03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog
Apache Struts Remote Code Execution Vulnerability
SchwachstelleForced Object-Graph Navigation Language (OGNL) evaluation in Apache Struts, when evaluated on raw user input in tag attributes, can lead to remote code execution.
BeschreibungApply updates per vendor instructions.
Erforderliche Maßnahmen| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 95.92% | 0.999 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html
http://jvn.jp/en/jp/JVN43969166/index.html
http://www.openwall.com/lists/oss-security/2022/04/12/6
https://cwiki.apache.org/confluence/display/WW/S2-061
https://security.netapp.com/advisory/ntap-20210115-0005/
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-17530