Detections
Analytics
CVE-2019-0230
critical
Description
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
From the Tenable Blog
CVE-2019-0230: Apache Struts Potential Remote Code Execution Vulnerability
Published: 2020-08-14
Apache published two security bulletins to address a potential remote code execution vulnerability and a denial of service vulnerability. Public proof of concept code is available. Background On August 13, Apache published security bulletins to address two vulnerabilities in Apache Struts version 2. Apache Struts is an open source model-view-controller (MVC) framework used to create Java web applications.
References
https://www.tenable.com/blog/one-year-later-what-can-we-learn-from-zerologon
https://www.tenable.com/cyber-exposure/2020-threat-landscape-retrospective
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://launchpad.support.sap.com/#/notes/2982840
https://cwiki.apache.org/confluence/display/ww/s2-059
http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html
http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html