The Apache Software Foundation has patched a Struts 2 vulnerability CVE-2020-17530 that may lead to remote code execution.
A cyber attacker could exploit this vulnerability to steal sensitive information.
Apache described the problem as related to Forced OGNL evaluation:
“Some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{…} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.”
Apache Software Foundation
As noted in the Apache advisory, administrators should upgrade to Struts 2.5.26 version or avoid using forced OGNL evaluation on untrusted user input.
Affected versions include Struts 2.0.0 – Struts 2.5.25.
On a related note, Microsoft also released the December 2020 Security Updates that includes patches for 58 vulnerabilities, 9 of them rated Critical.
OpenSSL also addressed a High risk vulnerability CVE-2020-1971 in certain OpenSSL versions that could result in Denial of Service condition if exploited.