CVE-2021-31805 — Expression Language Injection in Apache Struts

Description

The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.

How to fix CVE-2021-31805

To remediate CVE-2021-31805, upgrade the affected package to a fixed version below.

—upgrade to 2.5.30 or later

Is CVE-2021-31805 being exploited?

Likely — EPSS is 93.8%, placing CVE-2021-31805 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

>= 2.0.0, < 2.5.30

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-31805
WEBcwiki.apache.org/confluence/display/WW/S2-062
WEBsecurity.netapp.com/advisory/ntap-20220420-0001
WEBwww.oracle.com/security-alerts/cpujul2022.html
WEB