It's nothing no bother at all :) thanks to you for your great works!
Best wishes
On 4/13/2022 10:04 AM, Lukasz Lenart wrote:
Thanks Yasser for taking care of this and being so patient with the
whole process :)
Kind regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
wt., 12 kwi 2022 o 17:15 Yasser Zamani <yasserzam...@apache.org> napisał(a):
Description:
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0
to 2.5.29, still some of the tag’s attributes could perform a double evaluation
if a developer applied forced OGNL evaluation by using the %{...} syntax. Using
forced OGNL evaluation on untrusted user input can lead to a Remote Code
Execution and security degradation.
Mitigation:
Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to
Struts 2.5.30 which checks if expression evaluation won’t lead to the double
evaluation.
Please read our Security Bulletin S2-062 for more details.
Credit:
Apache Struts would like to thank Chris McCown for reporting this issue!
References:
https://cwiki.apache.org/confluence/display/WW/S2-062
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org