oss-sec mailing list archives

CVE-2021-31805: Apache Struts: Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE.

From: Yasser Zamani <yasserzamani () apache org>
Date: Tue, 12 Apr 2022 15:15:06 +0000

Description:

The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s 
attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. 
Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.

Mitigation:

Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to Struts 2.5.30 which checks if expression 
evaluation won’t lead to the double evaluation.

Please read our Security Bulletin S2-062 for more details.

Credit:

Apache Struts would like to thank Chris McCown for reporting this issue!

References:

https://cwiki.apache.org/confluence/display/WW/S2-062

Current thread:

CVE-2021-31805: Apache Struts: Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE. Yasser Zamani (Apr 12)