{
  "threat_severity" : "Important",
  "public_date" : "2020-12-08T00:00:00Z",
  "bugzilla" : {
    "description" : "struts2: using forced OGNL evaluation on untrusted user input can lead to a RCE and security degradation",
    "id" : "1905645",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1905645"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-20",
  "details" : [ "Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.", "A flaw was found in the Apache Struts frameworks. When forced, some of the tag's attributes perform a double evaluation if a developer applies forced OGNL evaluation by using the %{...} syntax. Using a forced OGNL evaluation on untrusted user input allows an attacker to perform remote code execution and security degradation. The highest threat from this vulnerability is to data confidentiality, integrity as well as system availability." ],
  "statement" : "Apache Struts2 is not compiled, shipped, used, or enabled in Red Hat products. As such, any CVE against Apache Struts2 does not impact currently supported Red Hat products.\nThis statement was last revised on 1 Sept 2020.\nPrevious statement example: https://bugzilla.redhat.com/show_bug.cgi?id=1469265",
  "package_state" : [ {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Not affected",
    "package_name" : "struts",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Not affected",
    "package_name" : "struts-core",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse Service Works 6",
    "fix_state" : "Not affected",
    "package_name" : "struts",
    "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6"
  }, {
    "product_name" : "Red Hat JBoss Operations Network 3",
    "fix_state" : "Not affected",
    "package_name" : "struts",
    "cpe" : "cpe:/a:redhat:jboss_operations_network:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-17530\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-17530\nhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog" ],
  "name" : "CVE-2020-17530",
  "csaw" : false
}