struts-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From git-site-r...@apache.org
Subject [struts-site] branch asf-site updated: Automatic Site Publish by Buildbot
Date Tue, 08 Dec 2020 07:02:49 GMT
This is an automated email from the ASF dual-hosted git repository.

git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/struts-site.git


The following commit(s) were added to refs/heads/asf-site by this push:
     new f9eff74  Automatic Site Publish by Buildbot
f9eff74 is described below

commit f9eff74d820f26115e541658f8eb99e64ad9a9ef
Author: buildbot <users@infra.apache.org>
AuthorDate: Tue Dec 8 07:02:45 2020 +0000

    Automatic Site Publish by Buildbot
---
 output/announce.html | 27 +++++++++++++++++++++++++++
 output/index.html    |  6 +++---
 2 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/output/announce.html b/output/announce.html
index ec1c806..9dcb38d 100644
--- a/output/announce.html
+++ b/output/announce.html
@@ -132,6 +132,7 @@
     <h1 class="no_toc" id="announcements-2020">Announcements 2020</h1>
 
 <ul id="markdown-toc">
+  <li><a href="#a20201208" id="markdown-toc-a20201208">08 December 2020 - Potential
RCE when using forced evaluation - CVE-2020-17530</a></li>
   <li><a href="#a20201206" id="markdown-toc-a20201206">06 December 2020 - Struts
2.5.26 General Availability</a></li>
   <li><a href="#a20200928" id="markdown-toc-a20200928">28 September 2020 - Struts
2.5.25 General Availability</a></li>
   <li><a href="#a20200813" id="markdown-toc-a20200813">13 August 2020 - Security
Advice: Announcing CVE-2019-0230 (Possible RCE) and CVE-2019-0233 (DoS) security issues</a></li>
@@ -141,6 +142,32 @@
   Skip to: <a href="announce-2019.html">Announcements - 2019</a>
 </p>
 
+<h4 id="a20201208">08 December 2020 - Potential RCE when using forced evaluation -
CVE-2020-17530</h4>
+
+<p>The Apache Struts Security team would like to announce that forced OGNL evaluation,
when evaluated on raw user input 
+in tag attributes, may lead to remote code execution.</p>
+
+<p><strong>Problem</strong></p>
+
+<p>Some of the tag’s attributes could perform a double evaluation if a developer
applied forced OGNL evaluation 
+by using the <code class="highlighter-rouge">%{...}</code> syntax. Using forced
OGNL evaluation on untrusted user input can lead to a Remote Code Execution 
+and security degradation.</p>
+
+<p><strong>Solution</strong></p>
+
+<p>Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to Struts
2.5.26 which checks if expression 
+evaluation won’t lead to the double evaluation.</p>
+
+<p>Please read our Security Bulletin <a href="https://cwiki.apache.org/confluence/display/WW/S2-061">S2-061</a>
for more details.</p>
+
+<p>This vulnerability was identified by:</p>
+<ul>
+  <li>Alvaro Munoz - pwntester at github dot com</li>
+  <li>Masato Anzai of Aeye Security Lab, inc.</li>
+</ul>
+
+<p><strong>All developers are strongly advised to perform this action.</strong></p>
+
 <h4 id="a20201206">06 December 2020 - Struts 2.5.26 General Availability</h4>
 
 <p>The Apache Struts group is pleased to announce that Struts 2.5.26 is available as
a “General Availability”
diff --git a/output/index.html b/output/index.html
index b29b065..2d5adae 100644
--- a/output/index.html
+++ b/output/index.html
@@ -153,11 +153,11 @@
         <a href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.26">Version
notes</a>
       </div>
       <div class="column col-md-4">
-        <h2>Security Advice S2-058 released</h2>
+        <h2>Security Advice S2-061 released</h2>
         <p>
-          A number of historic Struts Security Bulletins and related CVE database entries
contained incorrect affected release version ranges.
+          Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may
lead to remote code execution.
           Read more in
-          <a href="announce#a20200813">Announcement</a>
+          <a href="announce#a20201208">Announcement</a>
         </p>
       </div>
       <div class="column col-md-4">


Mime
View raw message