CVE-2020-17530

Warnung

EPSS 94.36%
Veröffentlicht 11.12.2020 02:15:10
Zuletzt bearbeitet 03.04.2025 16:07:29
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

Betroffene Produkte Warnungen 1 Metriken 4 CWE 1 Referenzen 14

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Struts Version >= 2.0.0 < 2.5.30

Oracle ≫ Business Intelligence Version12.2.1.3.0 SwEditionenterprise

Oracle ≫ Business Intelligence Version12.2.1.4.0 SwEditionenterprise

Oracle ≫ Communications Diameter Intelligence Hub Version8.0.0

Oracle ≫ Communications Diameter Intelligence Hub Version8.1.0

Oracle ≫ Communications Diameter Intelligence Hub Version8.2.0

Oracle ≫ Communications Diameter Intelligence Hub Version8.2.3

Oracle ≫ Communications Policy Management Version12.5.0

Oracle ≫ Communications Pricing Design Center Version12.0.0.3.0

Oracle ≫ Financial Services Data Integration Hub Version8.0.3

Oracle ≫ Financial Services Data Integration Hub Version8.0.6

Oracle ≫ Hospitality Opera 5 Version5.6

Oracle ≫ Mysql Enterprise Monitor Version8.0.23

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

Apache Struts Remote Code Execution Vulnerability

Schwachstelle

Forced Object-Graph Navigation Language (OGNL) evaluation in Apache Struts, when evaluated on raw user input in tag attributes, can lead to remote code execution.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	94.36%	1

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

https://www.oracle.com/security-alerts/cpujan2021.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

Patch

Third Party Advisory

https://www.oracle.com//security-alerts/cpujul2021.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html