CVE-2021-31805

The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{…} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.

Weakness

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

Affected Software

Name	Vendor	Start Version	End Version
Struts	Apache	2.0.0 (including)	2.5.29 (including)
Libstruts1.2-java	Ubuntu	trusty	*

Potential Mitigations

If user-controlled data must be added to an expression interpreter, one or more of the following should be performed:

References

http://www.openwall.com/lists/oss-security/2022/04/12/6
https://cwiki.apache.org/confluence/display/WW/S2-062
https://security.netapp.com/advisory/ntap-20220420-0001/
https://www.oracle.com/security-alerts/cpujul2022.html
http://www.openwall.com/lists/oss-security/2022/04/12/6
https://cwiki.apache.org/confluence/display/WW/S2-062
https://security.netapp.com/advisory/ntap-20220420-0001/
https://www.oracle.com/security-alerts/cpujul2022.html

NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-31805
CWE	https://cwe.mitre.org/data/definitions/917.html

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Weakness

Affected Software

Potential Mitigations

References