CyberSec.Space Logo
CVEブラウザに戻る

CVE-2019-0230

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0310%
EPSS Percentile21.65th
Published2020年9月14日
Last Modified2024年11月21日

Vulnerability Description

Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

Affected Platforms (CPE)

📦
Apache

Struts

>= 2.0.0 and <= 2.5.20
📦
Oracle

Communications Policy Management

= 12.5.0
📦
Oracle

Financial Services Data Integration Hub

= 8.0.3
📦
Oracle

Financial Services Data Integration Hub

= 8.0.6
📦
Oracle

Financial Services Market Risk Measurement And Management

= 8.0.6
📦
Oracle

Mysql Enterprise Monitor

<= 8.0.23

References & Advisories

🔗 http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html
🔗 http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html
🔗 https://cwiki.apache.org/confluence/display/ww/s2-059
🔗 https://launchpad.support.sap.com/#/notes/2982840
🔗 https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E
🔗 https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E
🔗 https://www.oracle.com/security-alerts/cpuApr2021.html
🔗 https://www.oracle.com/security-alerts/cpujan2021.html

関連する脆弱性情報

CVE-2013-431610.0

Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.

CVE-2012-083810.0

Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows re...

CVE-2021-440779.8

Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulner...

CVE-2021-318059.8

The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could ...