Apache Struts 2.0.0 to 2.5.26 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

The version of F5 Networks BIG-IP installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the K24608264 advisory.

  - Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code     execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25. (CVE-2020-17530)

  - The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the     tag's attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using     the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code     Execution and security degradation. (CVE-2021-31805)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Apache Struts installed on the remote host is prior to 2.5.26. It is, therefore, affected by a vulnerability as referenced in the S2-061 advisory.

  - Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code     execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25. (CVE-2020-17530)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache Struts installed on the remote host is 2.x prior to 2.5.26. It is, therefore, affected by a a remote code execution vulnerability in its OGNL evaluation functionality due to insufficient validation of user input. An unauthenticated, remote attacker can exploit this to execute arbitrary commands on an affected host.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Apache Struts installed on the remote host is 2.x prior to 2.5.26. It is, therefore, affected by a a remote code execution vulnerability in its OGNL evaluation functionality due to insufficient validation of user input. An unauthenticated, remote attacker can exploit this to execute arbitrary commands on an affected host.

MySQL Enterprise Monitor installed on the remote host is 8.0.x prior to 8.0.24. Therefore, it's affected by multiple vulnerabilities as referenced in the April 2021 CPU advisory.

  - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Monitoring: General     (Apache Tomcat)). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability     allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Enterprise Monitor.
    Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to     all MySQL Enterprise Monitor accessible data (CVE-2020-17527).

  - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Monitoring: General     (Apache Struts)). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability     allows unauthenticated attacker with network access via HTTPS to compromise MySQL Enterprise Monitor. Successful     attacks of this vulnerability can result in takeover of MySQL Enterprise Monitor (CVE-2020-17530).

  - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Monitoring: General (OpenSSL)).
    Supported versions that are affected are 8.0.23 and prior. Difficult to exploit vulnerability allows     unauthenticated attacker with network access via HTTPS to compromise MySQL Enterprise Monitor. Successful attacks     of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or     all MySQL Enterprise Monitor accessible data as well as unauthorized access to critical data or complete access     to all MySQL Enterprise Monitor accessible data (CVE-2021-3450).

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
112765	Apache Struts 2.x < 2.5.26 Remote Code Execution (S2-061)	Web App Scanning	Component Vulnerability	4/29/2021	2/1/2022	critical
184325	F5 Networks BIG-IP : Apache Struts vulnerabilities (K24608264)	Nessus	F5 Networks Local Security Checks	11/3/2023	5/7/2024	critical
151425	Apache Struts 2.0.0 < 2.5.26 Possible Remote Code Execution vulnerability (S2-061)	Nessus	Misc.	7/6/2021	8/9/2023	critical
143599	Apache Struts 2.x < 2.5.26 RCE (S2-061)	Nessus	Misc.	12/9/2020	6/16/2023	critical
144365	Apache Struts 2.x < 2.5.26 RCE (S2-061) (direct check)	Nessus	CGI abuses	12/17/2020	7/17/2024	critical
148986	Oracle MySQL Enterprise Monitor Multiple Vulnerabilities (Apr 2021 CPU)	Nessus	CGI abuses	4/26/2021	4/25/2023	critical

Detections

Analytics

Plugins Search

critical

critical

critical

critical

critical

critical