Show filters
2 Total Results
Displaying 1-2 of 2
Sort by:
Attacker Value
Very High
CVE-2020-17530
Disclosure Date: December 11, 2020 (last updated October 07, 2023)
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
1
Attacker Value
Unknown
CVE-2021-31805
Disclosure Date: April 12, 2022 (last updated October 07, 2023)
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
0