Late last year, 2020, a fix for a remote code execution (RCE) vulnerability discovered by Alvaro Munoz and Masato Anzai, was published by Apache Struts that goes by S2-061 or CVE-2020-17530 a “Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution – similar to S2-059 or CVE-2019-0230. While fixes to both have helped in limiting the vulnerable scenarios while using the Struts2 library and strengthening its sandbox, remote code execution is still possible in the latest versions of Struts 2.5.26.
While the sandbox escape written below is new and works on Struts 2.5.26, it was just mentioned to me this OGNL evaluation was originally reported by Man Yue Mo and Alvaro Munoz. Please check out their great work here:https://securitylab.github.com/research/apache-struts-double-evaluation/…
The second reported OGNL evaluation issue and XSS mentioned at the end I believe is new though and will provide details soon.
This post was created with our nice and easy submission form. Create your post!