// For flags

CVE-2020-17530

Apache Struts Remote Code Execution Vulnerability

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

11
*Multiple Sources

Exploited in Wild

Yes
*KEV

Decision

-
*SSVC
Descriptions

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

Una evaluación OGNL forzada, cuando se evalúa según la entrada del usuario sin procesar en los atributos de la etiqueta, puede conllevar a una ejecución de código remota. Software afectado: Apache Struts versión 2.0.0 - Struts versión 2.5.25

The Apache Struts framework, when forced, performs double evaluation of attribute values assigned to certain tags attributes such as id. It is therefore possible to pass in a value to Struts that will be evaluated again when a tag's attributes are rendered. With a carefully crafted request, this can lead to remote code execution. This vulnerability is application dependant. A server side template must make an affected use of request data to render an HTML tag attribute.

Forced Object-Graph Navigation Language (OGNL) evaluation in Apache Struts, when evaluated on raw user input in tag attributes, can lead to remote code execution.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-08-12 CVE Reserved
  • 2020-12-09 First Exploit
  • 2020-12-11 CVE Published
  • 2021-11-03 Exploited in Wild
  • 2022-05-03 KEV Due Date
  • 2024-08-04 CVE Updated
  • 2024-11-17 EPSS Updated
CWE
  • CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CAPEC
References (26)
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
Struts
Search vendor "Apache" for product "Struts"
>= 2.0.0 < 2.5.30
Search vendor "Apache" for product "Struts" and version " >= 2.0.0 < 2.5.30"
-
Affected
Oracle
Search vendor "Oracle"
Business Intelligence
Search vendor "Oracle" for product "Business Intelligence"
12.2.1.3.0
Search vendor "Oracle" for product "Business Intelligence" and version "12.2.1.3.0"
enterprise
Affected
Oracle
Search vendor "Oracle"
Business Intelligence
Search vendor "Oracle" for product "Business Intelligence"
12.2.1.4.0
Search vendor "Oracle" for product "Business Intelligence" and version "12.2.1.4.0"
enterprise
Affected
Oracle
Search vendor "Oracle"
Communications Diameter Intelligence Hub
Search vendor "Oracle" for product "Communications Diameter Intelligence Hub"
8.0.0
Search vendor "Oracle" for product "Communications Diameter Intelligence Hub" and version "8.0.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Diameter Intelligence Hub
Search vendor "Oracle" for product "Communications Diameter Intelligence Hub"
8.1.0
Search vendor "Oracle" for product "Communications Diameter Intelligence Hub" and version "8.1.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Diameter Intelligence Hub
Search vendor "Oracle" for product "Communications Diameter Intelligence Hub"
8.2.0
Search vendor "Oracle" for product "Communications Diameter Intelligence Hub" and version "8.2.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Diameter Intelligence Hub
Search vendor "Oracle" for product "Communications Diameter Intelligence Hub"
8.2.3
Search vendor "Oracle" for product "Communications Diameter Intelligence Hub" and version "8.2.3"
-
Affected
Oracle
Search vendor "Oracle"
Communications Policy Management
Search vendor "Oracle" for product "Communications Policy Management"
12.5.0
Search vendor "Oracle" for product "Communications Policy Management" and version "12.5.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Pricing Design Center
Search vendor "Oracle" for product "Communications Pricing Design Center"
12.0.0.3.0
Search vendor "Oracle" for product "Communications Pricing Design Center" and version "12.0.0.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Data Integration Hub
Search vendor "Oracle" for product "Financial Services Data Integration Hub"
8.0.3
Search vendor "Oracle" for product "Financial Services Data Integration Hub" and version "8.0.3"
-
Affected
Oracle
Search vendor "Oracle"
Financial Services Data Integration Hub
Search vendor "Oracle" for product "Financial Services Data Integration Hub"
8.0.6
Search vendor "Oracle" for product "Financial Services Data Integration Hub" and version "8.0.6"
-
Affected
Oracle
Search vendor "Oracle"
Hospitality Opera 5
Search vendor "Oracle" for product "Hospitality Opera 5"
5.6
Search vendor "Oracle" for product "Hospitality Opera 5" and version "5.6"
-
Affected
Oracle
Search vendor "Oracle"
Mysql Enterprise Monitor
Search vendor "Oracle" for product "Mysql Enterprise Monitor"
8.0.23
Search vendor "Oracle" for product "Mysql Enterprise Monitor" and version "8.0.23"
-
Affected