CVE-2019-0230 — CRITICAL (9.8)

Q: What is CVE-2019-0230?

CVE-2019-0230 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

Q: How severe is CVE-2019-0230?

CVE-2019-0230 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2019-0230?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Struts, Oracle Communications Policy Management, Oracle Financial Services Data Integration Hub, Oracle Financial Services Market Risk Measurement And Management, Oracle Mysql Enterprise Monitor.

Vulnerability Description

Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Struts	>= 2.0.0, <= 2.5.20
Oracle	Communications Policy Management	12.5.0
Oracle	Financial Services Data Integration Hub	8.0.3
Oracle	Financial Services Market Risk Measurement And Management	8.0.6
Oracle	Mysql Enterprise Monitor	<= 8.0.23

Related Weaknesses (CWE)

CWE-1321

References

http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-EvaExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-EvExploitThird Party AdvisoryVDB Entry
https://cwiki.apache.org/confluence/display/ww/s2-059Vendor Advisory
https://launchpad.support.sap.com/#/notes/2982840Permissions Required
https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a9
https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be40
https://www.oracle.com/security-alerts/cpuApr2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-EvaExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-EvExploitThird Party AdvisoryVDB Entry
https://cwiki.apache.org/confluence/display/ww/s2-059Vendor Advisory
https://launchpad.support.sap.com/#/notes/2982840Permissions Required
https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a9
https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be40

FAQ

What is CVE-2019-0230?

CVE-2019-0230 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

How severe is CVE-2019-0230?

CVE-2019-0230 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2019-0230?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Struts, Oracle Communications Policy Management, Oracle Financial Services Data Integration Hub, Oracle Financial Services Market Risk Measurement And Management, Oracle Mysql Enterprise Monitor.