CVE-2020-17530
critical-risk
Published 2020-12-11
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
Do I need to act?
!
94.4% chance of exploitation in next 30 days
EPSS score — higher than 6% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
+
Fix available
Upgrade to: e4db6b720e4d3e798d0741dfe8c1ef2289fef8b7
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (13)
Communications Diameter Intelligence Hub
Communications Diameter Intelligence Hub
Communications Diameter Intelligence Hub
Communications Diameter Intelligence Hub
References (23)
Third Party Advisory
http://jvn.jp/en/jp/JVN43969166/index.html
Third Party Advisory
http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Ev...
Vendor Advisory
https://cwiki.apache.org/confluence/display/WW/S2-061
Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
Third Party Advisory
http://jvn.jp/en/jp/JVN43969166/index.html
Third Party Advisory
http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Ev...
Vendor Advisory
https://cwiki.apache.org/confluence/display/WW/S2-061
Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
and 3 more references
76
/ 100
critical-risk
Severity
32/34 · Critical
Exploitability
27/34 · High
Exposure
17/34 · Moderate