Home » Electronic » Apache Struts 2 remote code execution vulnerability (CVE-2020-17530) warning
Electronic

Apache Struts 2 remote code execution vulnerability (CVE-2020-17530) warning

revendor@test.com December 28, 2021 7 0

Recently, the National Information Security Vulnerability Database (CNNVD) received reports on Apache Struts2 S2-061 remote code execution vulnerabilities (CNNVD-202012-449, CVE-2020-17530). An attacker who successfully exploited the vulnerability could execute malicious code on the target system. Apache Struts 2.0.0-2.5.25 versions are all affected by this vulnerability. Currently, Apache has officially released a version update to fix the vulnerability. It is recommended that users confirm the product version in time and take corrective measures as soon as possible.

1. Vulnerability introduction

ApacheStruts2 is a sub-project of the Jakarta project under the Apache Software Foundation, and is a web application framework designed based on MVC.

The hole stems from the fact that Apache Struts2 uses OGNL expressions in certain tag attributes. Because there is no content filtering, when an attacker passes in a carefully constructed request, it can cause OGNL secondary analysis and execute the specified malicious code.

2. Harmful effects

An attacker who successfully exploited the vulnerability could execute malicious code on the target system. Apache Struts 2.0.0-2.5.25 versions are all affected by this vulnerability.

Three, repair suggestions

Currently, Apache has officially released a version update to fix the vulnerability. It is recommended that users confirm the product version in time and take corrective measures as soon as possible. The official Apache update link is as follows:

http://struts.apache.org/download.cgi

This bulletin is supported by CNNVD’s technical support units-AsiaInfo Security Technology Co., Ltd., Inner Mongolia Dongming Technology Co., Ltd., Beijing Huashun Xinan Technology Co., Ltd., Shanghai Douxiang Information Technology Co., Ltd., Beijing Qihoo Technology Co., Ltd., Beijing Hillstone Network Information Technology Co., Ltd., Sangfor Technology Co., Ltd., Yuanjiang Shengbang (Beijing) Network Security Technology Co., Ltd., Inner Mongolia Aotron Technology Co., Ltd., Hangzhou Anheng Information Technology Co., Ltd., Beijing Tianrongxin Network Security Technology Co., Ltd., Beijing Venus Information Security Technology Co., Ltd., Inspur Electronic Information Industry Co., Ltd., New H3C Technology Co., Ltd. and other technical support units provide support.

CNNVD will continue to track the above-mentioned vulnerabilities and release relevant information in a timely manner. If necessary, you can contact CNNVD.

Contact: cnnvd@itsec.gov.cn

The Links:   CMF1N1721-A1-E LQ10D321

Show full profile

Related Articles
We will be happy to hear your thoughts

Leave a reply

100% SATISFACTION GUARANTEE
Customer satisfaction is our number one priority. Shop in confidence with a 100% satisfaction guarantee. We are the #1 Amazon retailer of USA made pulse oximeters. We offer an exchange or return policy on most products within 30 days.

Got Questions? Call us 24/7!

(+86) 8228-6112 sales@itsoug.com

Pulse Oximeter

Other Section

Enable registration in settings - general
Compare items
  • Total (0)
Compare
0