Bugzilla – Bug 1179775
VUL-0: CVE-2020-17530: struts: Potential RCE when using forced evaluation
Last modified: 2020-12-08 16:22:09 UTC
via oss-security: ------------------------------------------------------------------------------ Apache Struts 2: CVE-2020-17530: Potential RCE when using forced evaluation From: Lukasz Lenart Date: Tue, 8 Dec 2020 07:55:04 +0100 Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Problem Some of the tag's attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation. Solution Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to Struts 2.5.26 which checks if expression evaluation won't lead to the double evaluation. Please read our Security Bulletin for more details: https://cwiki.apache.org/confluence/display/WW/S2-061 This vulnerability was identified by: - Alvaro Munoz - pwntester at github dot com - Masato Anzai of Aeye Security Lab, inc. All developers are strongly advised to perform this action. Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ ------------------------------------------------------------------------------ References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17530 http://seclists.org/oss-sec/2020/q4/191 https://cwiki.apache.org/confluence/display/WW/S2-061
SUSE:SLE-15-SP1:Update:Products:Manager40:Update Not affected [1] SUSE:SLE-15-SP2:Update:Products:Manager41:Update Not affected [1] [1] does not support OGNL