CVE-2020-17530 — CRITICAL (9.8)

Q: What is CVE-2020-17530?

CVE-2020-17530 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

Q: How severe is CVE-2020-17530?

CVE-2020-17530 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2020-17530?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Struts, Oracle Business Intelligence, Oracle Communications Diameter Intelligence Hub, Oracle Communications Policy Management, Oracle Communications Pricing Design Center.

Vulnerability Description

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Struts	>= 2.0.0, < 2.5.30
Oracle	Business Intelligence	12.2.1.3.0
Oracle	Communications Diameter Intelligence Hub	8.0.0
Oracle	Communications Policy Management	12.5.0
Oracle	Communications Pricing Design Center	12.0.0.3.0
Oracle	Financial Services Data Integration Hub	8.0.3
Oracle	Hospitality Opera 5	5.6
Oracle	Mysql Enterprise Monitor	8.0.23

Related Weaknesses (CWE)

CWE-917

References

http://jvn.jp/en/jp/JVN43969166/index.htmlThird Party Advisory
http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-EvThird Party AdvisoryVDB Entry
http://www.openwall.com/lists/oss-security/2022/04/12/6Mailing ListThird Party Advisory
https://cwiki.apache.org/confluence/display/WW/S2-061Vendor Advisory
https://security.netapp.com/advisory/ntap-20210115-0005/PatchThird Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
http://jvn.jp/en/jp/JVN43969166/index.htmlThird Party Advisory
http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-EvThird Party AdvisoryVDB Entry
http://www.openwall.com/lists/oss-security/2022/04/12/6Mailing ListThird Party Advisory
https://cwiki.apache.org/confluence/display/WW/S2-061Vendor Advisory

FAQ

What is CVE-2020-17530?

CVE-2020-17530 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

How severe is CVE-2020-17530?

CVE-2020-17530 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2020-17530?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Struts, Oracle Business Intelligence, Oracle Communications Diameter Intelligence Hub, Oracle Communications Policy Management, Oracle Communications Pricing Design Center.