Thanks Yasser for taking care of this and being so patient with the whole process :)
Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ wt., 12 kwi 2022 o 17:15 Yasser Zamani <yasserzam...@apache.org> napisał(a): > > Description: > > The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 > to 2.5.29, still some of the tag’s attributes could perform a double > evaluation if a developer applied forced OGNL evaluation by using the %{...} > syntax. Using forced OGNL evaluation on untrusted user input can lead to a > Remote Code Execution and security degradation. > > Mitigation: > > Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to > Struts 2.5.30 which checks if expression evaluation won’t lead to the double > evaluation. > > Please read our Security Bulletin S2-062 for more details. > > Credit: > > Apache Struts would like to thank Chris McCown for reporting this issue! > > References: > > https://cwiki.apache.org/confluence/display/WW/S2-062 > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > For additional commands, e-mail: dev-h...@struts.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
