CyberSec.Space Logo
Back to CVE Browser

CVE-2020-17530

Known Exploited (CISA KEV)CRITICAL
9.8
CVSS Severity Score
EPSS Score83.0710%
EPSS Percentile85.96th
PublishedDec 11, 2020
Last ModifiedOct 27, 2025

Vulnerability Description

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

Affected Platforms (CPE)

πŸ“¦
Apache

Struts

>= 2.0.0 and < 2.5.30
πŸ“¦
Oracle

Business Intelligence

= 12.2.1.3.0
πŸ“¦
Oracle

Business Intelligence

= 12.2.1.4.0
πŸ“¦
Oracle

Communications Diameter Intelligence Hub

= 8.0.0
πŸ“¦
Oracle

Communications Diameter Intelligence Hub

= 8.1.0
πŸ“¦
Oracle

Communications Diameter Intelligence Hub

= 8.2.0
πŸ“¦
Oracle

Communications Diameter Intelligence Hub

= 8.2.3
πŸ“¦
Oracle

Communications Policy Management

= 12.5.0
πŸ“¦
Oracle

Communications Pricing Design Center

= 12.0.0.3.0
πŸ“¦
Oracle

Financial Services Data Integration Hub

= 8.0.3
πŸ“¦
Oracle

Financial Services Data Integration Hub

= 8.0.6
πŸ“¦
Oracle

Hospitality Opera 5

= 5.6
πŸ“¦
Oracle

Mysql Enterprise Monitor

= 8.0.23

References & Advisories

πŸ”— http://jvn.jp/en/jp/JVN43969166/index.html
πŸ”— http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html
πŸ”— http://www.openwall.com/lists/oss-security/2022/04/12/6
πŸ”— https://cwiki.apache.org/confluence/display/WW/S2-061
πŸ”— https://security.netapp.com/advisory/ntap-20210115-0005/
πŸ”— https://www.oracle.com//security-alerts/cpujul2021.html
πŸ”— https://www.oracle.com/security-alerts/cpuApr2021.html
πŸ”— https://www.oracle.com/security-alerts/cpuapr2022.html

Related Vulnerabilities

CVE-2013-431610.0

Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.

CVE-2012-083810.0

Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows re...

CVE-2021-440779.8

Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulner...

CVE-2021-318059.8

The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could ...