janeiro 4, 2021
On December 8, 2020, Struts released a security bulletin disclosing a potential remote code execution vulnerability (CVE-2020-17530) in S2-061.
The vulnerability stems from insufficient input validation. This results in two forced Object Graph Navigation Library (OGNL) evaluations when the original user input is calculated.
When the OGNL expression is forced in Struts tag attributes and can be modified by external input, an attacker could craft a malicious OGNL expression to trigger the vulnerability.
The vulnerability has been fixed in Struts 2.5.26. Affected users are advised to upgrade to Struts 2.5.26 without delay.(mais…)