CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2020-17530

CVSS 9.8v3.1pub. 2020-12-11upd. 2025-10-27

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Struts

    APP
    Apache
    2.0.0 – 2.5.30 (bez)
  • Oracle Business Intelligence

    APP
    Oracle
    12.2.1.3.012.2.1.4.0
  • Oracle Communications Diameter Intelligence Hub

    APP
    Oracle
    8.0.08.1.08.2.08.2.3
  • Oracle Communications Policy Management

    APP
    Oracle
    12.5.0
  • Oracle Communications Pricing Design Center

    APP
    Oracle
    12.0.0.3.0
  • Oracle Financial Services Data Integration Hub

    APP
    Oracle
    8.0.38.0.6
  • Oracle Hospitality Opera 5

    APP
    Oracle
    5.6
  • Oracle MySQL Enterprise Monitor

    APP
    Oracle
    8.0.23

CISA KEV — detailsi

Vendori
Apache
Producti
Struts
Added to KEVi
November 3, 2021
Remediation deadline (US Federal)i
May 3, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

Forced Object-Graph Navigation Language (OGNL) evaluation in Apache Struts, when evaluated on raw user input in tag attributes, can lead to remote code execution.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 3 maja 2022
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2022-22963CRITICAL9.8⚠ KEVten sam produkt

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionalit...

CVE-2022-22965CRITICAL9.8⚠ KEVten sam produkt

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) ...

CVE-2020-1938CRITICAL9.8⚠ KEVten sam produkt

When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache To...

CVE-2017-9791CRITICAL9.8⚠ KEVten sam produkt

The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field v...

CVE-2016-8735CRITICAL9.8⚠ KEVten sam produkt

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5....