CVE-2021-31805

Name of the Vulnerable Software and Affected Versions Apache Struts versions 2.0.0 through 2.5.29

Description The issue arises from incorrect handling of Object Graph Navigation Language expressions, which can lead to security degradation. If a developer uses forced OGNL evaluation with the %{...} syntax on untrusted user input, it can result in Remote Code Execution. This is due to the incomplete fix for a previous issue, allowing some tag attributes to perform double evaluation.

Recommendations For Apache Struts versions 2.0.0 through 2.5.29, consider disabling forced OGNL evaluation using the %{...} syntax to prevent Remote Code Execution, especially when dealing with untrusted user input. Restrict the use of tag attributes that could perform double evaluation to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.