An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.
Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.
Max CVSS
9.8
EPSS Score
9.30%
Published
2023-12-07
Updated
2023-12-20
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
Max CVSS
9.8
EPSS Score
18.56%
Published
2022-04-12
Updated
2022-07-25
CVE-2020-17530
Known exploited
Public exploit
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
Max CVSS
9.8
EPSS Score
97.23%
Published
2020-12-11
Updated
2022-06-03
CISA KEV Added
2021-11-03
CVE-2019-0230
Public exploit
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
Max CVSS
9.8
EPSS Score
95.36%
Published
2020-09-14
Updated
2022-12-02
In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.
Max CVSS
9.8
EPSS Score
97.30%
Published
2017-09-20
Updated
2019-08-12
Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785.
Max CVSS
9.0
EPSS Score
9.41%
Published
2017-10-16
Updated
2019-05-01
Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up.
Max CVSS
9.8
EPSS Score
2.37%
Published
2016-10-03
Updated
2017-08-09
XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.
Max CVSS
10.0
EPSS Score
95.90%
Published
2016-04-26
Updated
2016-11-28
CVE-2016-3081
Public exploit
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
Max CVSS
9.3
EPSS Score
97.52%
Published
2016-04-26
Updated
2019-08-12
Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.
Max CVSS
9.0
EPSS Score
1.73%
Published
2016-04-12
Updated
2019-08-23
Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.
Max CVSS
10.0
EPSS Score
0.87%
Published
2013-09-30
Updated
2016-12-07
CVE-2013-2251
Known exploited
Public exploit
Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.
Max CVSS
9.3
EPSS Score
97.38%
Published
2013-07-20
Updated
2020-10-20
CISA KEV Added
2022-03-25
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice.
Max CVSS
9.3
EPSS Score
95.74%
Published
2013-07-16
Updated
2018-11-23
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.
Max CVSS
9.3
EPSS Score
96.67%
Published
2013-07-16
Updated
2018-11-23
CVE-2013-2115
Public exploit
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966.
Max CVSS
9.3
EPSS Score
0.23%
Published
2013-07-10
Updated
2020-09-24
CVE-2013-1966
Public exploit
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.
Max CVSS
9.3
EPSS Score
1.86%
Published
2013-07-10
Updated
2019-08-12
Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.
Max CVSS
9.3
EPSS Score
0.81%
Published
2013-07-10
Updated
2019-08-12
Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.
Max CVSS
10.0
EPSS Score
1.89%
Published
2012-03-02
Updated
2018-12-07
CVE-2012-0391
Known exploited
Public exploit
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
Max CVSS
9.3
EPSS Score
29.32%
Published
2012-01-08
Updated
2018-11-23
CISA KEV Added
2022-01-21
CVE-2011-3923
Public exploit
Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands.
Max CVSS
9.8
EPSS Score
94.95%
Published
2019-11-01
Updated
2019-12-02
20 vulnerabilities found