← back
CVE-2020-17530

CVE-2020-17530

CVSS 9.8 CRITICALEPSS 95.9%● KEVCWE-917
In short

Apache Struts 2 allows attackers to execute arbitrary code on the server by injecting malicious expressions into tag attributes. This happens because user input is evaluated as code without proper validation, giving attackers complete control over the affected system.

Technical detail

A forced Object-Graph Navigation Language (OGNL) evaluation vulnerability exists in Apache Struts 2.0.0 through 2.5.25 where raw user input in tag attributes is processed as executable expressions. An unauthenticated attacker can inject malicious OGNL payloads through web request parameters to achieve remote code execution with server privileges; no authentication or special preconditions are required.

Summary generated and translated by AI from the official description.
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Apache Software Foundation · Apache Struts
public PoCs found14
githubgithub.com/ka1n4t/CVE-2020-1753064githubgithub.com/wuzuowei/CVE-2020-1753046githubgithub.com/Al1ex/CVE-2020-1753029githubgithub.com/fengziHK/CVE-2020-17530-strust2-0617githubgithub.com/uzzzval/CVE-2020-175305githubgithub.com/CyborgSecurity/CVE-2020-175304githubgithub.com/secpool2000/CVE-2020-175301githubgithub.com/shoucheng3/apache__struts_CVE-2020-17530_2-5-250githubgithub.com/ludy-dev/freemarker_RCE_struts2_s2-0610githubgithub.com/killmonday/CVE-2020-17530-s2-0610githubgithub.com/keyuan15/CVE-2020-175300githubgithub.com/nth347/CVE-2020-175300githubgithub.com/fatkz/CVE-2020-175300cve_referencepacketstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://jvn.jp/en/jp/JVN43969166/index.htmlhttp://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.htmlhttps://cwiki.apache.org/confluence/display/WW/S2-061https://security.netapp.com/advisory/ntap-20210115-0005/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-17530https://www.oracle.com/security-alerts/cpuApr2021.htmlhttps://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://www.oracle.com/security-alerts/cpujan2021.htmlhttps://www.oracle.com/security-alerts/cpujan2022.htmlhttps://www.oracle.com//security-alerts/cpujul2021.htmlhttps://www.oracle.com/security-alerts/cpuoct2021.htmlhttp://www.openwall.com/lists/oss-security/2022/04/12/6