Exploit for Apache Struts forced OGNL evaluation incomplete fix CVE-2020-17530

Name: Exploit for Apache Struts forced OGNL evaluation incomplete fix CVE-2020-17530
Rating: 5 (70 reviews)

2022-04-26 | CVSS 7.5

## https://sploitus.com/exploit?id=SAINT:61E99B83D8C03F67350245D1B8BDC99C
Added: 04/26/2022  


### Background

Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. 

Struts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. 

### Problem

A vulnerability in Apache Struts could allow remote attackers to execute arbitrary commands if the application uses forced OGNL evaluation on user input. This vulnerability exists due to an incomplete fix for CVE-2020-17530. 

### Resolution

[Upgrade](<https://struts.apache.org/download.cgi>) to Apache Struts 2.5.30 or higher. 

### References

<https://cwiki.apache.org/confluence/display/WW/S2-062>