==================================================================                               CERT-Renater

                    Note d'Information No. 2022/VULN153
______________________________________________________________________

DATE                : 13/04/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S) : Systems running Apache Struts versions prior
                                 to 2.5.30.

====================================================================https://lists.apache.org/thread/gl3kqh3rm7n8owhbkf3syo6mo52bsv4l
_______________________________________________________________________
CVE-2021-31805: Apache Struts: Forced OGNL evaluation, when evaluated on
raw not validated user input in tag attributes, may lead to RCE.


Description:

The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts
2.0.0 to 2.5.29, still some of the tag’s attributes could perform a
double evaluation if a developer applied forced OGNL evaluation by using
the %{...} syntax. Using forced OGNL evaluation on untrusted user input
can lead to a Remote Code Execution and security degradation.


Mitigation:

Avoid using forced OGNL evaluation on untrusted user input, and/or
upgrade to Struts 2.5.30 which checks if expression evaluation won’t
lead to the double evaluation.

Please read our Security Bulletin S2-062 for more details.


Credit:

Apache Struts would like to thank Chris McCown for reporting this issue!

References:

https://cwiki.apache.org/confluence/display/WW/S2-062



========================================================+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=======================================================
--------------wsiGon03KwZA3uHGTQfcMMtw--