Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13cDRoLXB2Z3ctNTcyN80Y7Q
Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Struts
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
Permalink: https://github.com/advisories/GHSA-wp4h-pvgw-5727JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13cDRoLXB2Z3ctNTcyN80Y7Q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-wp4h-pvgw-5727, CVE-2019-0230
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-0230
- https://cwiki.apache.org/confluence/display/ww/s2-059
- https://launchpad.support.sap.com/#/notes/2982840
- https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html
- http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html
- https://github.com/advisories/GHSA-wp4h-pvgw-5727
Affected Packages
maven:org.apache.struts:struts2-core
Dependent packages: 194Dependent repositories: 6,183
Downloads:
Affected Version Ranges: >= 2.0.0, < 2.5.22
Fixed in: 2.5.22
All affected versions: 2.0.5, 2.0.6, 2.0.8, 2.0.9, 2.0.11, 2.0.12, 2.0.14, 2.1.2, 2.1.6, 2.1.8, 2.2.1, 2.2.3, 2.3.1, 2.3.3, 2.3.4, 2.3.7, 2.3.8, 2.3.12, 2.3.14, 2.3.15, 2.3.16, 2.3.20, 2.3.24, 2.3.28, 2.3.29, 2.3.30, 2.3.31, 2.3.32, 2.3.33, 2.3.34, 2.3.35, 2.3.36, 2.3.37, 2.5.1, 2.5.2, 2.5.5, 2.5.8, 2.5.10, 2.5.12, 2.5.13, 2.5.14, 2.5.16, 2.5.17, 2.5.18, 2.5.20
All unaffected versions: 2.5.22, 2.5.25, 2.5.26, 2.5.27, 2.5.28, 2.5.29, 2.5.30, 2.5.31, 2.5.32, 2.5.33, 6.0.0, 6.0.3, 6.1.1, 6.1.2, 6.2.0, 6.3.0