CVE-2019-0230

CVE-2019-0230

EPSS 97.4%

Vexday Risk Score

60Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS —EPSS 97.4%KEV nãoPoC públicaNuclei simMetasploit simPatch —

Lifecycle

13 Aug 2020Public PoC

14 Sep 2020Metasploit module available

14 Sep 2020Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

Affected products

n/a · Apache Struts

public PoCs found — 7

githubgithub.com/ramoncjs3/CVE-2019-0230★ 35 githubgithub.com/PrinceFPF/CVE-2019-0230★ 15 githubgithub.com/Al1ex/CVE-2019-0230★ 9 githubgithub.com/f8al/CVE-2019-0230-PoC★ 1 cve_referencepacketstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.htmlunverified cve_referencepacketstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.htmlunverified exploitdbwww.exploit-db.com/exploits/49068unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html https://cwiki.apache.org/confluence/display/ww/s2-059 https://launchpad.support.sap.com/#/notes/2982840 https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E https://www.oracle.com/security-alerts/cpuApr2021.html https://www.oracle.com/security-alerts/cpujan2021.html https://www.oracle.com/security-alerts/cpuoct2021.html