CVE-2020-17530

Description

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

How to fix CVE-2020-17530

To remediate CVE-2020-17530, upgrade the affected package to a fixed version below.

• Maven/org.apache.struts:struts2-core—upgrade to 2.5.26 or later

Is CVE-2020-17530 being exploited?

Yes — CVE-2020-17530 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.

Affected packages (1)

• >= 2.0.0, < 2.5.26

CVSS scores

References (14)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-17530
• PATCHgithub.com/apache/struts
• WEBjvn.jp/en/jp/JVN43969166/index.html
• WEBpacketstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html
• WEB