CVE-2019-0230 – org.apache.struts:struts2-core

Package

Manager: maven
Name: org.apache.struts:struts2-core
Vulnerable Version: >=2.0.0 <2.5.22

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.93837 pctl0.9986

Details

Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Struts Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

Metadata

Created: 2021-12-02T14:50:51Z
Modified: 2021-12-02T14:45:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-wp4h-pvgw-5727/GHSA-wp4h-pvgw-5727.json
CWE IDs: ["CWE-1321", "CWE-915"]
Alternative ID: GHSA-wp4h-pvgw-5727
Finding: F390
Auto approve: 1