Risk

Apache Struts Remote Code Execution

Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to remote code execution – same as S2-061.

Impact of vulnerabilityPossible Remote Code Execution vulnerability
Maximum security ratingCritical
RecommendationUpgrade to Struts 2.5.30 or greater
Affected SoftwareStruts 2.0.0 – Struts 2.5.29
CVE IdentifierCVE-2021-31805

Summary

The fix issued for CVE-2020-17530 (S2-061) was incomplete. Still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.

Solution

Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to Struts 2.5.30 or greater which checks if expression evaluation won’t lead to the double evaluation.

Struts won’t accept double evaluation issues caused by not validated end-user input (owing to developer error) anymore as vulnerability. We accepted this one as a vulnerability because it’s about an error in our previously accepted vulnerability. We welcome and appreciate reports in this regard to minimize developer error effect albeit!

No issues are expected when upgrading to Struts 2.5.30

Reference