Apache Struts 2 (S2-061)

On December 8, 2020 (Local Time), the Apache Software Foundation has released information (S2-061) on vulnerability (CVE-2020-17530)in Apache Struts 2. This vulnerability is due to improper verification of input values. A remote attacker leveraging this vulnerability may execute arbitrary code on the server that runs Apache Struts 2.

Apache Struts 2 Documentation
Security Bulletins S2-061
https://cwiki.apache.org/confluence/display/WW/S2-061

The Apache Software Foundation has rated this vulnerability as"Important".It is recommended to upgrade the version as soon as possible by referring to the information provided in "III. Solution" if a version of Apache Struts 2 which is affected by the vulnerability is used.

II. Affected Products

The following versions of Apache Struts 2 are affected by the vulnerability:

Apache Struts 2
- Versions 2.0.0 to 2.5.25

III. Solution

The Apache Software Foundation has released versions of Apache Struts 2 that address this vulnerability. Please update to the versions by referring to the information provided by the Apache Software Foundation.

Apache Struts 2
- Versions 2.5.26

For more information, please refer to the updated information provided by the Apache Software Foundation.

Apache Struts 2 Documentation
Version Notes 2.5.26
https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.26

IV. References

The Apache Software Foundation
08 December 2020 - Potential RCE when using forced evaluation - CVE-2020-17530
https://struts.apache.org/announce#a20201208