CVE-2020-17530
Last modified
CVE-2020-17530 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.. CISA has confirmed active exploitation in the wild. EPSS estimates a 95.92% chance of exploitation in the next 30 days.
Description
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation Status
This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by .
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Struts | >= 2.0.0, < 2.5.30 |
| Oracle | Business Intelligence | 12.2.1.3.0 |
| Oracle | Business Intelligence | 12.2.1.4.0 |
| Oracle | Communications Diameter Intelligence Hub | 8.0.0 |
| Oracle | Communications Diameter Intelligence Hub | 8.1.0 |
| Oracle | Communications Diameter Intelligence Hub | 8.2.0 |
| Oracle | Communications Diameter Intelligence Hub | 8.2.3 |
| Oracle | Communications Policy Management | 12.5.0 |
| Oracle | Communications Pricing Design Center | 12.0.0.3.0 |
| Oracle | Financial Services Data Integration Hub | 8.0.3 |
| Oracle | Financial Services Data Integration Hub | 8.0.6 |
| Oracle | Hospitality Opera 5 | 5.6 |
| Oracle | Mysql Enterprise Monitor | 8.0.23 |
References
- http://jvn.jp/en/jp/JVN43969166/index.htmlThird Party Advisory
- http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.htmlThird Party Advisory, VDB Entry
- http://www.openwall.com/lists/oss-security/2022/04/12/6Mailing List, Third Party Advisory
- https://cwiki.apache.org/confluence/display/WW/S2-061Vendor Advisory
- https://security.netapp.com/advisory/ntap-20210115-0005/Patch, Third Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
- http://jvn.jp/en/jp/JVN43969166/index.htmlThird Party Advisory
- http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.htmlThird Party Advisory, VDB Entry
- http://www.openwall.com/lists/oss-security/2022/04/12/6Mailing List, Third Party Advisory
- https://cwiki.apache.org/confluence/display/WW/S2-061Vendor Advisory
- https://security.netapp.com/advisory/ntap-20210115-0005/Patch, Third Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-17530US Government Resource
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2020-17530?
How severe is CVE-2020-17530?
How do I fix CVE-2020-17530?
Are you affected by CVE-2020-17530?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST