Incomplete Fix for Forced OGNL Evaluation in Apache Struts 2.0.0 to 2.5.29 Allows Remote Code Execution
CVE-2021-31805 · CRITICAL Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
Learn more about our Cis Benchmark Audit For Apache Http Server.