CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
99.4%
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
Vendor | Product | Version | CPE |
---|---|---|---|
apache | struts | * | cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* |
oracle | communications_policy_management | 12.5.0 | cpe:2.3:a:oracle:communications_policy_management:12.5.0:*:*:*:*:*:*:* |
oracle | financial_services_data_integration_hub | 8.0.3 | cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.3:*:*:*:*:*:*:* |
oracle | financial_services_data_integration_hub | 8.0.6 | cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.6:*:*:*:*:*:*:* |
oracle | financial_services_market_risk_measurement_and_management | 8.0.6 | cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:* |
oracle | mysql_enterprise_monitor | * | cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* |
packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html
packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html
cwiki.apache.org/confluence/display/ww/s2-059
launchpad.support.sap.com/#/notes/2982840
lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E
lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E
www.oracle.com/security-alerts/cpuApr2021.html
www.oracle.com/security-alerts/cpujan2021.html
www.oracle.com/security-alerts/cpuoct2021.html
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
99.4%