CVE-2019-0230

high-risk

Published 2020-09-14

Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

Do I need to act?

93.7% chance of exploitation in next 30 days

EPSS score — higher than 6% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

49068

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Struts

Communications Policy Management

Financial Services Data Integration Hub

Financial Services Market Risk Measurement And Management

Mysql Enterprise Monitor

Apache Oracle

Exploit http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Eva...

Exploit http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Ev...

Vendor Advisory https://cwiki.apache.org/confluence/display/ww/s2-059

Permissions Required https://launchpad.support.sap.com/#/notes/2982840

Patch https://www.oracle.com/security-alerts/cpuApr2021.html

Patch https://www.oracle.com/security-alerts/cpujan2021.html

Patch https://www.oracle.com/security-alerts/cpuoct2021.html

Exploit http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Eva...

Exploit http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Ev...

Vendor Advisory https://cwiki.apache.org/confluence/display/ww/s2-059

Permissions Required https://launchpad.support.sap.com/#/notes/2982840

Patch https://www.oracle.com/security-alerts/cpuApr2021.html

Patch https://www.oracle.com/security-alerts/cpujan2021.html

Patch https://www.oracle.com/security-alerts/cpuoct2021.html

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 20/34 · Moderate

Exposure 13/34 · Low