1905645 – (CVE-2020-17530) CVE-2020-17530 struts2: using forced OGNL evaluation on untrusted user input can lead to a RCE and security degradation

Bug 1905645 (CVE-2020-17530) - CVE-2020-17530 struts2: using forced OGNL evaluation on untrusted user input can lead to a RCE and security degradation

Summary: CVE-2020-17530 struts2: using forced OGNL evaluation on untrusted user input ...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2020-17530
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1905646
TreeView+	depends on / blocked

Reported:	2020-12-08 18:21 UTC by Guilherme de Almeida Suckevicz
Modified:	2021-08-27 18:42 UTC (History)
CC List:	51 users (show)
Fixed In Version:	Struts 2.5.26
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Apache Struts frameworks. When forced, some of the tag's attributes perform a double evaluation if a developer applies forced OGNL evaluation by using the %{...} syntax. Using a forced OGNL evaluation on untrusted user input allows an attacker to perform remote code execution and security degradation. The highest threat from this vulnerability is to data confidentiality, integrity as well as system availability.
Clone Of:
Environment:
Last Closed:	2020-12-09 06:47:00 UTC
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-12-08 18:21:03 UTC

Some of the tag's attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.

Reference:
https://cwiki.apache.org/confluence/display/WW/S2-061

Comment 4 Product Security DevOps Team 2020-12-09 06:47:00 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-17530

Comment 8 Ted Jongseok Won 2020-12-18 06:00:43 UTC

Statement:

Apache Struts2 is not compiled, shipped, used, or enabled in Red Hat products. As such, any CVE against Apache Struts2 does not impact currently supported Red Hat products.

This statement was last revised on 1 Sept 2020.

Previous statement example: https://bugzilla.redhat.com/show_bug.cgi?id=1469265

Note You need to log in before you can comment on or make changes to this bug.

aboyko
aileenc
asoldano
atangrin
bbaranow
bmaxwell
brian.stansberry
cdewolf
chazlett
darran.lofthouse
dbhole
dkreling
dosoudil
drieden
eleandro
extras-orphan
ggaughan
gmalinko
gvarsami
iweiss
janstey
java-sig-commits
jawilson
jcoleman
jjelen
jochrist
jperkins
jwon
kconner
krathod
kwills
ldimaggi
lgao
loleary
mmraka
msochure
msvehla
nwallace
pjindal
pmackay
puntogil
rguimara
rstancel
rsvoboda
rwagner
smaestri
spinder
tcunning
theute
tkirby
tom.jenkinson