CVE-2020-17530

Apache Struts Remote Code Execution Vulnerability

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

*SSVC

Descriptions

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

Una evaluación OGNL forzada, cuando se evalúa según la entrada del usuario sin procesar en los atributos de la etiqueta, puede conllevar a una ejecución de código remota. Software afectado: Apache Struts versión 2.0.0 - Struts versión 2.5.25

The Apache Struts framework, when forced, performs double evaluation of attribute values assigned to certain tags attributes such as id. It is therefore possible to pass in a value to Struts that will be evaluated again when a tag's attributes are rendered. With a carefully crafted request, this can lead to remote code execution. This vulnerability is application dependant. A server side template must make an affected use of request data to render an HTML tag attribute.

Forced Object-Graph Navigation Language (OGNL) evaluation in Apache Struts, when evaluated on raw user input in tag attributes, can lead to remote code execution.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-08-12 CVE Reserved
2020-12-09 First Exploit
2020-12-11 CVE Published
2021-11-03 Exploited in Wild
2022-05-03 KEV Due Date
2024-08-04 CVE Updated
2024-10-15 EPSS Updated

CWE

CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

CAPEC

References (26)

URL	Tag	Source
http://jvn.jp/en/jp/JVN43969166/index.html	Third Party Advisory
http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html	Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/04/12/6	Mailing List
https://www.oracle.com/security-alerts/cpuapr2022.html	Third Party Advisory
https://cwiki.apache.org/confluence/display/WW/S2-059
https://github.com/vulhub/vulhub/tree/master/struts2/s2-059
https://github.com/vulhub/vulhub/tree/master/struts2/s2-061
https://securitylab.github.com/advisories/GHSL-2020-205-double-eval-dynattrs-struts2

URL	Date	SRC
https://github.com/wuzuowei/CVE-2020-17530	2020-12-18
https://github.com/ka1n4t/CVE-2020-17530	2020-12-09
https://github.com/Al1ex/CVE-2020-17530	2020-12-22
https://github.com/phil-fly/CVE-2020-17530	2020-12-09
https://github.com/CyborgSecurity/CVE-2020-17530	2020-12-30
https://github.com/fengziHK/CVE-2020-17530-strust2-061	2020-12-14
https://github.com/uzzzval/CVE-2020-17530	2021-01-07
https://github.com/nth347/CVE-2020-17530	2023-08-04
https://github.com/secpool2000/CVE-2020-17530	2020-12-09
https://github.com/keyuan15/CVE-2020-17530	2023-04-02
https://github.com/killmonday/CVE-2020-17530-s2-061	2021-01-24

URL	Date	SRC
https://security.netapp.com/advisory/ntap-20210115-0005	2022-06-03
https://www.oracle.com//security-alerts/cpujul2021.html	2022-06-03
https://www.oracle.com/security-alerts/cpuApr2021.html	2022-06-03
https://www.oracle.com/security-alerts/cpujan2021.html	2022-06-03
https://www.oracle.com/security-alerts/cpujan2022.html	2022-06-03
https://www.oracle.com/security-alerts/cpuoct2021.html	2022-06-03

URL	Date	SRC
https://cwiki.apache.org/confluence/display/WW/S2-061	2020-09-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				>= 2.0.0 < 2.5.30 Search vendor "Apache" for product "Struts" and version " >= 2.0.0 < 2.5.30"		-		Affected
Oracle Search vendor "Oracle"		Business Intelligence Search vendor "Oracle" for product "Business Intelligence"				12.2.1.3.0 Search vendor "Oracle" for product "Business Intelligence" and version "12.2.1.3.0"		enterprise		Affected
Oracle Search vendor "Oracle"		Business Intelligence Search vendor "Oracle" for product "Business Intelligence"				12.2.1.4.0 Search vendor "Oracle" for product "Business Intelligence" and version "12.2.1.4.0"		enterprise		Affected
Oracle Search vendor "Oracle"		Communications Diameter Intelligence Hub Search vendor "Oracle" for product "Communications Diameter Intelligence Hub"				8.0.0 Search vendor "Oracle" for product "Communications Diameter Intelligence Hub" and version "8.0.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Diameter Intelligence Hub Search vendor "Oracle" for product "Communications Diameter Intelligence Hub"				8.1.0 Search vendor "Oracle" for product "Communications Diameter Intelligence Hub" and version "8.1.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Diameter Intelligence Hub Search vendor "Oracle" for product "Communications Diameter Intelligence Hub"				8.2.0 Search vendor "Oracle" for product "Communications Diameter Intelligence Hub" and version "8.2.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Diameter Intelligence Hub Search vendor "Oracle" for product "Communications Diameter Intelligence Hub"				8.2.3 Search vendor "Oracle" for product "Communications Diameter Intelligence Hub" and version "8.2.3"		-		Affected
Oracle Search vendor "Oracle"		Communications Policy Management Search vendor "Oracle" for product "Communications Policy Management"				12.5.0 Search vendor "Oracle" for product "Communications Policy Management" and version "12.5.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Pricing Design Center Search vendor "Oracle" for product "Communications Pricing Design Center"				12.0.0.3.0 Search vendor "Oracle" for product "Communications Pricing Design Center" and version "12.0.0.3.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Data Integration Hub Search vendor "Oracle" for product "Financial Services Data Integration Hub"				8.0.3 Search vendor "Oracle" for product "Financial Services Data Integration Hub" and version "8.0.3"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Data Integration Hub Search vendor "Oracle" for product "Financial Services Data Integration Hub"				8.0.6 Search vendor "Oracle" for product "Financial Services Data Integration Hub" and version "8.0.6"		-		Affected
Oracle Search vendor "Oracle"		Hospitality Opera 5 Search vendor "Oracle" for product "Hospitality Opera 5"				5.6 Search vendor "Oracle" for product "Hospitality Opera 5" and version "5.6"		-		Affected
Oracle Search vendor "Oracle"		Mysql Enterprise Monitor Search vendor "Oracle" for product "Mysql Enterprise Monitor"				8.0.23 Search vendor "Oracle" for product "Mysql Enterprise Monitor" and version "8.0.23"		-		Affected