...
Excerpt |
---|
Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. |
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Possible Remote Code Execution vulnerability |
Maximum security rating | Important |
Recommendation | Always validate incoming parameters' values when re-assigning them to certain Struts' tags attributes. Don't use %{...} or ${...} syntax referencing user modifiable input in tag attributes other than value unless you have a valid use-case. Consider activating Proactive OGNL Expression Injection Protection if applicable Alternatively upgrade to Struts 2.5.22 or greater |
Affected Software | Struts 2.0.0 - Struts 2.5.20 |
Reporters | Matthias Kaiser, Apple Information Security |
CVE Identifier | CVE-2019-0230 |
Problem
The Apache Struts frameworks, when forced, performs double evaluation of attributes' values assigned to certain tags attributes such as id
so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered. With a carefully crafted request, this can lead to Remote Code Execution (RCE).
...
The ultimate fix is adding a proper validation of each value that's coming in and it's used in tag's attributes. Don't use forced evaluation of an attribute other than value using %{...} or ${...} syntax unless really needed for a valid use-case.
...