struts2-core is vulnerable to remote code execution. Tag attributes can be used to perform a double evaluation when forced OGNL evaluation is applied, by using the %{...}
syntax. This can lead to remote code execution when an attacker provides a malicious input to be evaluated.
CPE | Name | Operator | Version |
---|---|---|---|
struts 2 core | le | 2.5.25 | |
struts 2 core | le | 2.5.25 |
jvn.jp/en/jp/JVN43969166/index.html
packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html
www.openwall.com/lists/oss-security/2022/04/12/6
cwiki.apache.org/confluence/display/WW/S2-061
security.netapp.com/advisory/ntap-20210115-0005/
www.oracle.com//security-alerts/cpujul2021.html
www.oracle.com/security-alerts/cpuApr2021.html
www.oracle.com/security-alerts/cpuapr2022.html
www.oracle.com/security-alerts/cpujan2021.html
www.oracle.com/security-alerts/cpujan2022.html
www.oracle.com/security-alerts/cpuoct2021.html