CVE-2021-31805 is a vulnerability in Apache Struts
Published on April 12, 2022
Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE.
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tags attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
Weakness Type
What is an EL Injection Vulnerability?
The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
CVE-2021-31805 has been classified to as an EL Injection vulnerability or weakness.
Products Associated with CVE-2021-31805
Want to know whenever a new CVE is published for Apache Struts? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Struts Version 2.0.0 to 2.5.29 is affected by CVE-2021-31805Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.