On April 9, 2022, Apache officially released a risk notice for Apache Struts2, the vulnerability number is CVE-2021-31805, and the security rating is important. This flaw exists in the Object Graph Navigation Language (OGNL) evaluation function of Apache Struts versions. Using a forced OGNL evaluation on untrusted user input allows an attacker to perform remote code execution leading to security degradation. Successful exploitation of the CVE-2021-31805 vulnerability may allow hackers to take control of vulnerable systems.
Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support REST, AJAX, and JSON.
Vulnerability Detail
The fix issued for CVE-2020-17530 (S2-061) was incomplete. Still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{…} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
Affected version
- Apache Struts: 2.0.0 – 2.5.29
Unaffected version
- Apache Struts: 2.5.30
Solution
In this regard, we recommend that users upgrade Apache Struts2 to the latest version in time and avoid using forced OGNL evaluation on untrusted user input.
