CVE-2019-0230

Name of the Vulnerable Software and Affected Versions Apache Struts versions 2.0.0 through 2.5.20

Description The issue is related to insufficient control of modification of dynamically determined characteristics of an object in the Apache Struts platform. This can be exploited by a remote attacker to execute arbitrary code. The vulnerability is associated with forced double OGNL evaluation when raw user input is evaluated in tag attributes, which may lead to remote code execution.

Recommendations For Apache Struts versions 2.0.0 through 2.5.20, consider disabling the forced double OGNL evaluation in tag attributes to minimize the risk of exploitation until a patch is available. Restrict access to the affected tag attributes to prevent the evaluation of raw user input. As a temporary workaround, avoid using raw user input in tag attributes until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.