You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Path to vulnerable library: /canner/.m2/repository/org/apache/struts/struts2-core/2.5.26/struts2-core-2.5.26.jar
Dependency Hierarchy:
❌ struts2-core-2.5.26.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
mend-for-github-combot
changed the title
CVE-2021-31805 (Medium) detected in struts2-core-2.5.26.jar
CVE-2021-31805 (High) detected in struts2-core-2.5.26.jar
May 21, 2022
mend-for-github-combot
changed the title
CVE-2021-31805 (High) detected in struts2-core-2.5.26.jar
CVE-2021-31805 (Critical) detected in struts2-core-2.5.26.jar
Jul 1, 2023
CVE-2021-31805 - Critical Severity Vulnerability
Vulnerable Library - struts2-core-2.5.26.jar
Library home page: http://struts.apache.org/
Path to dependency file: /app/pom.xml
Path to vulnerable library: /canner/.m2/repository/org/apache/struts/struts2-core/2.5.26/struts2-core-2.5.26.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
Publish Date: 2022-04-12
URL: CVE-2021-31805
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/WW/S2-062
Release Date: 2022-04-12
Fix Resolution: 2.5.30
The text was updated successfully, but these errors were encountered: