====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN662
_____________________________________________________________________

DATE                : 08/12/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Struts versions prior to
                                            2.5.26.

=====================================================================
http://mail-archives.apache.org/mod_mbox/struts-announcements/202012.mbox/%3cCAMopvkNhCA2dWwKMJbZjJLGD6NrxCRyZ3QOSetwdXPnGRz9mLQ@mail.gmail.com%3e
_____________________________________________________________________

Forced OGNL evaluation, when evaluated on raw user input in tag
attributes, may lead to remote code execution.


Problem
Some of the tag's attributes could perform a double evaluation if a
developer applied forced OGNL evaluation by using the %{...} syntax.
Using forced OGNL evaluation on untrusted user input can lead to a
Remote Code Execution and security degradation.


Solution
Avoid using forced OGNL evaluation on untrusted user input, and/or
upgrade to Struts 2.5.26 which checks if expression evaluation won't
lead to the double evaluation.

Please read our Security Bulletin for more details:
https://cwiki.apache.org/confluence/display/WW/S2-061

This vulnerability was identified by:
- Alvaro Munoz - pwntester at github dot com
- Masato Anzai of Aeye Security Lab, inc.

All developers are strongly advised to perform this action.


Kind regards


Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================