{"containers": {"cna": {"affected": [{"product": "Apache Struts", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "Struts 2.0.0 - Struts 2.5.25"}]}], "descriptions": [{"lang": "en", "value": "Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25."}], "problemTypes": [{"descriptions": [{"description": "Remote Code Execution", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-04-19T23:21:54.000Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://cwiki.apache.org/confluence/display/WW/S2-061"}, {"name": "JVN#43969166", "tags": ["third-party-advisory", "x_refsource_JVN"], "url": "http://jvn.jp/en/jp/JVN43969166/index.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20210115-0005/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"name": "[oss-security] 20220412 CVE-2021-31805: Apache Struts: Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE.", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2022/04/12/6"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2020-17530", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Struts", "version": {"version_data": [{"version_value": "Struts 2.0.0 - Struts 2.5.25"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Remote Code Execution"}]}]}, "references": {"reference_data": [{"name": "https://cwiki.apache.org/confluence/display/WW/S2-061", "refsource": "CONFIRM", "url": "https://cwiki.apache.org/confluence/display/WW/S2-061"}, {"name": "JVN#43969166", "refsource": "JVN", "url": "http://jvn.jp/en/jp/JVN43969166/index.html"}, {"name": "https://www.oracle.com/security-alerts/cpujan2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"name": "http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html"}, {"name": "https://security.netapp.com/advisory/ntap-20210115-0005/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210115-0005/"}, {"name": "https://www.oracle.com/security-alerts/cpuApr2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"name": "https://www.oracle.com//security-alerts/cpujul2021.html", "refsource": "MISC", "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"name": "[oss-security] 20220412 CVE-2021-31805: Apache Struts: Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE.", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/04/12/6"}, {"name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T14:00:48.908Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://cwiki.apache.org/confluence/display/WW/S2-061"}, {"name": "JVN#43969166", "tags": ["third-party-advisory", "x_refsource_JVN", "x_transferred"], "url": "http://jvn.jp/en/jp/JVN43969166/index.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20210115-0005/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"name": "[oss-security] 20220412 CVE-2021-31805: Apache Struts: Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE.", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/04/12/6"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}]}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2020-17530", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-06T20:53:17.181618Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2021-11-03", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-17530"}}}], "references": [{"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-17530", "tags": ["government-resource"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-917", "description": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')"}]}], "timeline": [{"time": "2021-11-03T00:00:00+00:00", "lang": "en", "value": "CVE-2020-17530 added to CISA KEV"}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-21T23:35:31.563Z"}}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2020-17530", "datePublished": "2020-12-11T01:11:04.000Z", "dateReserved": "2020-08-12T00:00:00.000Z", "dateUpdated": "2025-10-21T23:35:31.563Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://cwiki.apache.org/confluence/display/WW/S2-061", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "http://jvn.jp/en/jp/JVN43969166/index.html", "name": "JVN#43969166", "tags": ["third-party-advisory", "x_refsource_JVN", "x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpujan2021.html", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20210115-0005/", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpuApr2021.html", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://www.oracle.com//security-alerts/cpujul2021.html", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpuoct2021.html", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpujan2022.html", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2022/04/12/6", "name": "[oss-security] 20220412 CVE-2021-31805: Apache Struts: Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE.", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T14:00:48.908Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2020-17530", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-06T20:53:17.181618Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2021-11-03", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2020-17530"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-917", "description": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-06T20:53:02.728Z"}, "timeline": [{"lang": "en", "time": "2021-11-03T00:00:00+00:00", "value": "CVE-2020-17530 added to CISA KEV"}]}], "cna": {"affected": [{"vendor": "Apache Software Foundation", "product": "Apache Struts", "versions": [{"status": "affected", "version": "Struts 2.0.0 - Struts 2.5.25"}]}], "references": [{"url": "https://cwiki.apache.org/confluence/display/WW/S2-061", "tags": ["x_refsource_CONFIRM"]}, {"url": "http://jvn.jp/en/jp/JVN43969166/index.html", "name": "JVN#43969166", "tags": ["third-party-advisory", "x_refsource_JVN"]}, {"url": "https://www.oracle.com/security-alerts/cpujan2021.html", "tags": ["x_refsource_MISC"]}, {"url": "http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html", "tags": ["x_refsource_MISC"]}, {"url": "https://security.netapp.com/advisory/ntap-20210115-0005/", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://www.oracle.com/security-alerts/cpuApr2021.html", "tags": ["x_refsource_MISC"]}, {"url": "https://www.oracle.com//security-alerts/cpujul2021.html", "tags": ["x_refsource_MISC"]}, {"url": "https://www.oracle.com/security-alerts/cpuoct2021.html", "tags": ["x_refsource_MISC"]}, {"url": "https://www.oracle.com/security-alerts/cpujan2022.html", "tags": ["x_refsource_MISC"]}, {"url": "http://www.openwall.com/lists/oss-security/2022/04/12/6", "name": "[oss-security] 20220412 CVE-2021-31805: Apache Struts: Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE.", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Remote Code Execution"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2022-04-19T23:21:54.000Z"}, "x_legacyV4Record": {"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "Struts 2.0.0 - Struts 2.5.25"}]}, "product_name": "Apache Struts"}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://cwiki.apache.org/confluence/display/WW/S2-061", "name": "https://cwiki.apache.org/confluence/display/WW/S2-061", "refsource": "CONFIRM"}, {"url": "http://jvn.jp/en/jp/JVN43969166/index.html", "name": "JVN#43969166", "refsource": "JVN"}, {"url": "https://www.oracle.com/security-alerts/cpujan2021.html", "name": "https://www.oracle.com/security-alerts/cpujan2021.html", "refsource": "MISC"}, {"url": "http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html", "name": "http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html", "refsource": "MISC"}, {"url": "https://security.netapp.com/advisory/ntap-20210115-0005/", "name": "https://security.netapp.com/advisory/ntap-20210115-0005/", "refsource": "CONFIRM"}, {"url": "https://www.oracle.com/security-alerts/cpuApr2021.html", "name": "https://www.oracle.com/security-alerts/cpuApr2021.html", "refsource": "MISC"}, {"url": "https://www.oracle.com//security-alerts/cpujul2021.html", "name": "https://www.oracle.com//security-alerts/cpujul2021.html", "refsource": "MISC"}, {"url": "https://www.oracle.com/security-alerts/cpuoct2021.html", "name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC"}, {"url": "https://www.oracle.com/security-alerts/cpujan2022.html", "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC"}, {"url": "http://www.openwall.com/lists/oss-security/2022/04/12/6", "name": "[oss-security] 20220412 CVE-2021-31805: Apache Struts: Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE.", "refsource": "MLIST"}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Remote Code Execution"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2020-17530", "STATE": "PUBLIC", "ASSIGNER": "security@apache.org"}}}}, "cveMetadata": {"cveId": "CVE-2020-17530", "state": "PUBLISHED", "dateUpdated": "2025-07-28T19:48:27.629Z", "dateReserved": "2020-08-12T00:00:00.000Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2020-12-11T01:11:04.000Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"cisaActionDue": "2022-05-03", "cisaExploitAdd": "2021-11-03", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "Apache Struts Remote Code Execution Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*", "matchCriteriaId": "23D366CD-5A53-400A-B846-D4F287915BC5", "versionEndExcluding": "2.5.30", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "77C3DD16-1D81-40E1-B312-50FBD275507C", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "81DAC8C0-D342-44B5-9432-6B88D389584F", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_diameter_intelligence_hub:8.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "F2E30096-0B9A-4301-A34A-DAECE85FE1F4", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_diameter_intelligence_hub:8.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "6B88D928-9735-4E5C-B8D3-597AB2A15854", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_diameter_intelligence_hub:8.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "BE4A02B1-4E35-4054-9FEB-886985267199", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_diameter_intelligence_hub:8.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "C3027474-CF8F-432D-9295-C56CD9A8B710", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_policy_management:12.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "5312AC7A-3C16-4967-ACA6-317289A749D0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "D7B49D71-6A31-497A-B6A9-06E84F086E7A", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "25B0D39E-A630-4C85-AF90-396FB3E0FE7A", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "987A0C35-4C7F-4FFB-B47B-37B69A32F879", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:hospitality_opera_5:5.6:*:*:*:*:*:*:*", "matchCriteriaId": "95D6A426-B914-401F-9AB0-5F5E3A3FE138", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.23:*:*:*:*:*:*:*", "matchCriteriaId": "955955B3-95F0-4887-97DC-58FB7A13F257", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25."}, {"lang": "es", "value": "Una evaluaci\u00f3n OGNL forzada, cuando se eval\u00faa seg\u00fan la entrada del usuario sin procesar en los atributos de la etiqueta, puede conllevar a una ejecuci\u00f3n de c\u00f3digo remota. Software afectado: Apache Struts versi\u00f3n 2.0.0 - Struts versi\u00f3n 2.5.25"}], "id": "CVE-2020-17530", "lastModified": "2025-10-27T17:37:20.887", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2020-12-11T02:15:10.883", "references": [{"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "http://jvn.jp/en/jp/JVN43969166/index.html"}, {"source": "security@apache.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/04/12/6"}, {"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://cwiki.apache.org/confluence/display/WW/S2-061"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210115-0005/"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://jvn.jp/en/jp/JVN43969166/index.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/04/12/6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://cwiki.apache.org/confluence/display/WW/S2-061"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210115-0005/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["US Government Resource"], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-17530"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-917"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-917"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "struts2: using forced OGNL evaluation on untrusted user input can lead to a RCE and security degradation", "id": "1905645", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1905645"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-20", "details": ["Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.", "A flaw was found in the Apache Struts frameworks. When forced, some of the tag's attributes perform a double evaluation if a developer applies forced OGNL evaluation by using the %{...} syntax. Using a forced OGNL evaluation on untrusted user input allows an attacker to perform remote code execution and security degradation. The highest threat from this vulnerability is to data confidentiality, integrity as well as system availability."], "name": "CVE-2020-17530", "package_state": [{"cpe": "cpe:/a:redhat:jboss_developer_studio:12.", "fix_state": "Not affected", "package_name": "struts", "product_name": "Red Hat CodeReady Studio 12"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Not affected", "package_name": "struts", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Not affected", "package_name": "struts-core", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Not affected", "package_name": "struts", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_operations_network:3", "fix_state": "Not affected", "package_name": "struts", "product_name": "Red Hat JBoss Operations Network 3"}], "public_date": "2020-12-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-17530\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-17530\nhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog"], "statement": "Apache Struts2 is not compiled, shipped, used, or enabled in Red Hat products. As such, any CVE against Apache Struts2 does not impact currently supported Red Hat products.\nThis statement was last revised on 1 Sept 2020.\nPrevious statement example: https://bugzilla.redhat.com/show_bug.cgi?id=1469265", "threat_severity": "Important"}