CVE-2019-0230

Description

Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

How to fix CVE-2019-0230

To remediate CVE-2019-0230, upgrade the affected package to a fixed version below.

• Maven/org.apache.struts:struts2-core—upgrade to 2.5.22 or later

Is CVE-2019-0230 being exploited?

Likely — EPSS is 93.8%, placing CVE-2019-0230 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

• >= 2.0.0, < 2.5.22

CVSS scores

References (11)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-0230
• PATCHgithub.com/apache/struts
• WEBpacketstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html
• WEBpacketstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html