This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new f9eff74 Automatic Site Publish by Buildbot
f9eff74 is described below
commit f9eff74d820f26115e541658f8eb99e64ad9a9ef
Author: buildbot <[email protected]>
AuthorDate: Tue Dec 8 07:02:45 2020 +0000
Automatic Site Publish by Buildbot
---
output/announce.html | 27 +++++++++++++++++++++++++++
output/index.html | 6 +++---
2 files changed, 30 insertions(+), 3 deletions(-)
diff --git a/output/announce.html b/output/announce.html
index ec1c806..9dcb38d 100644
--- a/output/announce.html
+++ b/output/announce.html
@@ -132,6 +132,7 @@
<h1 class="no_toc" id="announcements-2020">Announcements 2020</h1>
<ul id="markdown-toc">
+ <li><a href="#a20201208" id="markdown-toc-a20201208">08 December 2020 -
Potential RCE when using forced evaluation - CVE-2020-17530</a></li>
<li><a href="#a20201206" id="markdown-toc-a20201206">06 December 2020 -
Struts 2.5.26 General Availability</a></li>
<li><a href="#a20200928" id="markdown-toc-a20200928">28 September 2020 -
Struts 2.5.25 General Availability</a></li>
<li><a href="#a20200813" id="markdown-toc-a20200813">13 August 2020 -
Security Advice: Announcing CVE-2019-0230 (Possible RCE) and CVE-2019-0233
(DoS) security issues</a></li>
@@ -141,6 +142,32 @@
Skip to: <a href="announce-2019.html">Announcements - 2019</a>
</p>
+<h4 id="a20201208">08 December 2020 - Potential RCE when using forced
evaluation - CVE-2020-17530</h4>
+
+<p>The Apache Struts Security team would like to announce that forced OGNL
evaluation, when evaluated on raw user input
+in tag attributes, may lead to remote code execution.</p>
+
+<p><strong>Problem</strong></p>
+
+<p>Some of the tag’s attributes could perform a double evaluation if a
developer applied forced OGNL evaluation
+by using the <code class="highlighter-rouge">%{...}</code> syntax. Using
forced OGNL evaluation on untrusted user input can lead to a Remote Code
Execution
+and security degradation.</p>
+
+<p><strong>Solution</strong></p>
+
+<p>Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade
to Struts 2.5.26 which checks if expression
+evaluation won’t lead to the double evaluation.</p>
+
+<p>Please read our Security Bulletin <a
href="https://cwiki.apache.org/confluence/display/WW/S2-061";>S2-061</a> for
more details.</p>
+
+<p>This vulnerability was identified by:</p>
+<ul>
+ <li>Alvaro Munoz - pwntester at github dot com</li>
+ <li>Masato Anzai of Aeye Security Lab, inc.</li>
+</ul>
+
+<p><strong>All developers are strongly advised to perform this
action.</strong></p>
+
<h4 id="a20201206">06 December 2020 - Struts 2.5.26 General Availability</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.5.26 is
available as a “General Availability”
diff --git a/output/index.html b/output/index.html
index b29b065..2d5adae 100644
--- a/output/index.html
+++ b/output/index.html
@@ -153,11 +153,11 @@
<a
href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.26";>Version
notes</a>
</div>
<div class="column col-md-4">
- <h2>Security Advice S2-058 released</h2>
+ <h2>Security Advice S2-061 released</h2>
<p>
- A number of historic Struts Security Bulletins and related CVE
database entries contained incorrect affected release version ranges.
+ Forced OGNL evaluation, when evaluated on raw user input in tag
attributes, may lead to remote code execution.
Read more in
- <a href="announce#a20200813">Announcement</a>
+ <a href="announce#a20201208">Announcement</a>
</p>
</div>
<div class="column col-md-4">
