CVE-2020-17530

CVE Database · CVE-2020-17530

CVE-2020-17530

· CRITICALAnalyzed

CVSS v3.1

9.8

EPSS

95.92%

Published

Dec 10, 2020

Modified

Oct 27, 2025

CISA Known Exploited Vulnerability

Added: 2021-11-03 · Due: 2022-05-03

Apply updates per vendor instructions.

Public PoC / Exploit (10)

All weaponized →

NucleiNuclei detection template TrickestTrickest PoC index GitHub PoCka1n4t/CVE-2020-17530★64 GitHub PoCwuzuowei/CVE-2020-17530★46 GitHub PoCAl1ex/CVE-2020-17530★29 GitHub PoCfengziHK/CVE-2020-17530-strust2-061★7 GitHub PoCuzzzval/CVE-2020-17530★5 GitHub PoCCyborgSecurity/CVE-2020-17530★4 GitHub PoCsecpool2000/CVE-2020-17530★1 GitHub PoCludy-dev/freemarker_RCE_struts2_s2-061★0

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-917CWE-917

Affected Products (13)

apache · struts (up to 2.5.30)vulnerable

oracle · business_intelligencevulnerable

oracle · communications_diameter_intelligence_hubvulnerable

oracle · communications_policy_managementvulnerable

oracle · communications_pricing_design_centervulnerable

· financial_services_data_integration_hub

References (20)

http://jvn.jp/en/jp/JVN43969166/index.html

Third Party Advisory

http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html

Third Party AdvisoryVDB Entry

http://www.openwall.com/lists/oss-security/2022/04/12/6

Mailing ListThird Party Advisory

https://cwiki.apache.org/confluence/display/WW/S2-061

Vendor Advisory

https://security.netapp.com/advisory/ntap-20210115-0005/

PatchThird Party Advisory

https://www.oracle.com//security-alerts/cpujul2021.html

KEV Catalog EPSS Scores Vendors All CVEs