Some of the tag's attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation. Reference: https://cwiki.apache.org/confluence/display/WW/S2-061
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-17530
Statement: Apache Struts2 is not compiled, shipped, used, or enabled in Red Hat products. As such, any CVE against Apache Struts2 does not impact currently supported Red Hat products. This statement was last revised on 1 Sept 2020. Previous statement example: https://bugzilla.redhat.com/show_bug.cgi?id=1469265