Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-0230

CWE-1321Prototype PollutionCWE-20Improper Input ValidationCWE-91514 documents12 sources
Severity
9.8CRITICAL
EPSS
93.7%
top 0.15%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
5
Apache StrutsOracle Mysql Enterprise MonitorOracle Communications Policy Management+2 more
Timeline
PublishedSep 14
Latest updateDec 2

Description

Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages7 packages

Mavenorg.apache.struts:struts2-core2.0.02.5.22
NVDapache/struts2.0.02.5.20
CVEListV5apache_strutsApache Struts 2.0.0 to 2.5.20

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

3
GHSA
Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Struts2021-12-02
OSV
Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Struts2021-12-02
CVEList
CVE-2019-0230: Apache Struts 22020-09-14

💥Exploits & PoCs

2
Exploit-DB
Apache Struts 2.5.20 - Double OGNL evaluation2020-11-17
Nuclei
Apache Struts <=2.5.20 - Remote Code Execution

🔍Detection Rules

1
Suricata
ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Remote Code Execution Inbound (CVE-2019-0230)2021-07-24

📋Vendor Advisories

2
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: User Interface (Apache Struts) — CVE-2019-02302021-01-15
Red Hat
struts2: possible RCE due to forced double OGNL evaluation when evaluated on raw user input in tag attributes2020-08-13

🕵️Threat Intelligence

3
Trendmicro
CVE-2019-0230: Apache Struts OGNL Remote Code Execution2020-10-07
Trendmicro
CVE-2019-0230: Apache Struts OGNL Remote Code Execution2020-10-07
Trendmicro
CVE-2019-0230: Apache Struts OGNL Remote Code Execution2020-10-07

💬Community

1
Bugzilla
CVE-2019-0230 struts2: possible RCE due to forced double OGNL evaluation when evaluated on raw user input in tag attributes2020-08-18