CVE-2020-17530: 
Java vulnerability analysis and mitigation

CVE-2020-17530 is a vulnerability in Apache Struts 2 discovered in December 2020. The vulnerability occurs when forced OGNL evaluation is performed on raw user input in tag attributes, which may lead to remote code execution. This vulnerability affects Apache Struts versions 2.0.0 through 2.5.25 (Apache Struts, NIST NVD).

The vulnerability stems from insufficient input validation that allows forced double OGNL evaluation when evaluating raw user input in tag attributes. When an attacker applies forced OGNL evaluation using the %{...} syntax on untrusted user input, it can lead to remote code execution and security degradation. The vulnerability has been assigned a CVSS v3.1 base score of 8.1, indicating high severity (JVN).

A successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. This could lead to complete system compromise, including unauthorized access to sensitive data, modification of system files, and potential full control of the application server (Red Hat).

The recommended mitigation is to upgrade to Apache Struts version 2.5.26 or later. As a workaround, organizations should avoid using forced OGNL evaluation in tag attributes based on untrusted/unvalidated user input. Users should follow the recommendations from the Security Guide (Apache Struts).

Multiple vendors and organizations have responded to this vulnerability by releasing security advisories and patches. NetApp, Oracle, and other major vendors have published advisories and provided patches for their affected products (NetApp Advisory).