Apache Struts 2 Forced Multi OGNL Evaluation
Posted by deepcore on December 25, 2020 – 3:05 am
The Apache Struts framework, when forced, performs double evaluation of attribute values assigned to certain tags attributes such as id. It is therefore possible to pass in a value to Struts that will be evaluated again when a tag’s attributes are rendered. With a carefully crafted request, this can lead to remote code execution. This vulnerability is application dependant. A server side template must make an affected use of request data to render an HTML tag attribute.
Post a reply
You must be logged in to post a comment.