Incomplete Fix for Forced OGNL Evaluation in Apache Struts 2.0.0 to 2.5.29 Allows Remote Code Execution

Incomplete Fix for Forced OGNL Evaluation in Apache Struts 2.0.0 to 2.5.29 Allows Remote Code Execution

CVE-2021-31805 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.

Learn more about our Cis Benchmark Audit For Apache Http Server.