The Apache Software Foundation has patched a Struts 2 vulnerability CVE-2021-31805 that may lead to remote code execution.
A cyber attacker could exploit this vulnerability to steal sensitive information.
Apache described the problem as related to Forced OGNL evaluation and requires a fix to a previously released patch for Struts 2:
“The fix issued for CVE-2020-17530 (S2-061) was incomplete. Still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the
Apache Software Foundation%{...}
syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.”
As noted in the Apache advisory S2-062, administrators should upgrade to Struts 2.5.30 version and/or avoid using forced OGNL evaluation on untrusted user input.
Affected versions include Struts 2.0.0 – Struts 2.5.29.
On a related note, Microsoft also released the April 2022 Security Updates that includes patches for 117 vulnerabilities, 10 of them rated Critical.