CVE-2021-31805

Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE.

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.

La corrección emitida para CVE-2020-17530 era incompleta. Así, desde Apache Struts versiones 2.0.0 hasta 2.5.29, todavía algunos de los atributos de las etiquetas podían llevar a cabo una doble evaluación si un desarrollador aplicaba la evaluación OGNL forzada usando la sintaxis %{...}. El uso de la evaluación forzada de OGNL en entradas de usuario no confiables puede conllevar a una Ejecución de Código Remota y una degradación de la seguridad

*Credits: Apache Struts would like to thank Chris McCown for reporting this issue!

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-04-26 CVE Reserved
2022-04-12 CVE Published
2022-04-15 First Exploit
2024-01-30 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

CAPEC

References (9)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2022/04/12/6	Mailing List
https://security.netapp.com/advisory/ntap-20220420-0001	Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html	X_refsource_misc

URL	Date	SRC
https://github.com/Wrin9/CVE-2021-31805	2022-04-15
https://github.com/z92g/CVE-2021-31805	2022-07-23
https://github.com/aeyesec/CVE-2021-31805	2022-04-22
https://github.com/fleabane1/CVE-2021-31805-POC	2022-04-18
https://github.com/nth347/CVE-2021-31805	2023-08-04

URL	Date	SRC
https://cwiki.apache.org/confluence/display/WW/S2-062	2022-07-25

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Struts Search vendor "Apache" for product "Struts"				>= 2.0.0 <= 2.5.29 Search vendor "Apache" for product "Struts" and version " >= 2.0.0 <= 2.5.29"		-		Affected