oss-security - CVE-2021-31805: Apache Struts: Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE.

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <ab7e33c7-9941-fe45-90dd-3217e0f82ed0@apache.org>
Date: Tue, 12 Apr 2022 15:15:06 +0000
From: Yasser Zamani <yasserzamani@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2021-31805: Apache Struts: Forced OGNL evaluation, when
 evaluated on raw not validated user input in tag attributes, may lead to
 RCE. 

Description:

The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.

Mitigation:

Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to Struts 2.5.30 which checks if expression evaluation won’t lead to the double evaluation.

Please read our Security Bulletin S2-062 for more details.

Credit:

Apache Struts would like to thank Chris McCown for reporting this issue!

References:

https://cwiki.apache.org/confluence/display/WW/S2-062

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.