⚠ Actively exploited
Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2022-05-03. Required action: Apply updates per vendor instructions..

CVE-2020-17530Expression Language Injection in Apache Struts

CWE-917Expression Language InjectionCWE-94Code InjectionCWE-20Improper Input Validation20 documents11 sources
Severity
9.8CRITICALNVD
EPSS
94.4%
top 0.03%
CISA KEV
KEV
Added 2021-11-03
Due 2022-05-03
Exploit
Exploited in wild
Active exploitation observed
Affected products
9
Apache StrutsApache Software Foundation Apache StrutsOracle Business Intelligence+6 more
Timeline
PublishedDec 11
KEV addedNov 3
Latest updateApr 15
KEV dueMay 3
CISA Required Action: Apply updates per vendor instructions.

Description

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages9 packages

CVEListV5apache_software_foundation/apache_struts2.0.0 to 2.5.29, Struts 2.0.0 - Struts 2.5.25+1
NVDapache/struts2.0.02.5.30
NVDoracle/business_intelligence12.2.1.3.0, 12.2.1.4.0+1

Patches

Patch: security.netapp.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

5
GHSA
Expression Language Injection in Apache Struts2022-04-13
OSV
Remote code execution in Apache Struts2022-02-09
GHSA
Remote code execution in Apache Struts2022-02-09
CVEList
CVE-2020-17530: Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution2020-12-11
VulnCheck
Apache Struts Remote Code Execution Vulnerability2020

💥Exploits & PoCs

2
Nuclei
Apache Struts 2.0.0-2.5.25 - Remote Code Execution
Nuclei
Apache Struts2 S2-062 - Remote Code Execution

🔍Detection Rules

2
Suricata
ET EXPLOIT Apache Struts RCE Attempt (CVE-2020-17530)2022-01-28
Suricata
ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Remote Code Execution Inbound (CVE-2020-17530)2021-07-24

📋Vendor Advisories

8
Oracle
Oracle Oracle Communications Risk Matrix: Visualization (Apache Struts) — CVE-2020-175302022-04-15
Red Hat
Struts: Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE.2022-04-12
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Installation (Apache Struts2) — CVE-2020-175302022-01-15
CISA
Apache Struts Remote Code Execution Vulnerability2021-11-03
Oracle
Oracle Oracle Communications Risk Matrix: Enterprise Policy (Apache Struts2) — CVE-2020-175302021-10-15

🕵️Threat Intelligence

2
Qualys
CVE-2020-17530 Apache Struts OGNL Injection | Qualys2021-09-21
Qualys
Apache Struts 2 Double OGNL Evaluation Vulnerability (CVE-2020-17530)2021-09-21
CVE-2020-17530 — Expression Language Injection | cvebase