CVE-2020-17530

Name of the Vulnerable Software and Affected Versions Apache Struts versions 2.0.0 through 2.5.25

Description The issue is caused by incorrect handling of Object Graph Navigation Language (OGNL) expressions, which may lead to remote code execution when evaluated on raw user input in tag attributes. This can allow a remote attacker to execute arbitrary code. The severity of this issue is critical, and a proof-of-concept (PoC) is publicly available, which may have a significant and extensive impact.

Recommendations For Apache Struts versions 2.0.0 through 2.5.25, consider disabling the forced OGNL evaluation in tag attributes to prevent remote code execution until a patch is available. Restrict access to the vulnerable hello.action endpoint to minimize the risk of exploitation. Avoid using the name parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.