It's nothing no bother at all :) thanks to you for your great works!
Best wishes On 4/13/2022 10:04 AM, Lukasz Lenart wrote:
Thanks Yasser for taking care of this and being so patient with the whole process :) Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ wt., 12 kwi 2022 o 17:15 Yasser Zamani <yasserzam...@apache.org> napisał(a):Description: The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation. Mitigation: Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to Struts 2.5.30 which checks if expression evaluation won’t lead to the double evaluation. Please read our Security Bulletin S2-062 for more details. Credit: Apache Struts would like to thank Chris McCown for reporting this issue! References: https://cwiki.apache.org/confluence/display/WW/S2-062 --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org--------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
--------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
