CVE-2020-17530 – This vulnerability in Apache Struts allows atta... (How to Fix)

Q: What is the severity of CVE-2020-17530?

CVE-2020-17530 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Apache Struts allows attackers to perform remote code execution by forcing OGNL evaluation on raw user input in tag attributes. It affects all Apache Struts 2 installations from version 2.0.0 through 2.5.25. Attackers can exploit this to execute arbitrary code on vulnerable servers.

📋 TL;DR

This vulnerability in Apache Struts allows attackers to perform remote code execution by forcing OGNL evaluation on raw user input in tag attributes. It affects all Apache Struts 2 installations from version 2.0.0 through 2.5.25. Attackers can exploit this to execute arbitrary code on vulnerable servers.

💻 Affected Systems

Products:

Apache Struts 2

Versions: 2.0.0 through 2.5.25

Operating Systems: All operating systems running Apache Struts

Default Config Vulnerable: ⚠️ Yes

Notes: All Struts 2 applications using tag attributes with user input are vulnerable. The vulnerability exists in the core framework.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the server, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to web application compromise, data theft, and potential ransomware deployment.

🟢

If Mitigated

Limited impact with proper input validation and security controls, potentially resulting in denial of service or limited information disclosure.

🌐 Internet-Facing: HIGH - Internet-facing Struts applications are directly exposed to exploitation attempts from anywhere.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but require network access, reducing exposure surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploits exist, and exploitation requires minimal technical skill. The vulnerability is actively exploited in the wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Struts 2.5.26 or later

Vendor Advisory: https://cwiki.apache.org/confluence/display/WW/S2-061

Restart Required: Yes

Instructions:

1. Download Struts 2.5.26 or later from Apache website. 2. Replace existing Struts libraries with patched versions. 3. Restart application server. 4. Test application functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation to block OGNL expressions in user input

Implement custom servlet filter or Struts interceptor to sanitize tag attribute inputs

WAF Rule

all

Deploy Web Application Firewall rules to block OGNL expression patterns

Add WAF rule to detect and block patterns like ${, #, @ in request parameters

🧯 If You Can't Patch

Isolate vulnerable systems in restricted network segments with strict firewall rules
Implement application-level input validation and output encoding for all user inputs

🔍 How to Verify

Check if Vulnerable:

Check Struts version in application libraries or configuration files. If version is between 2.0.0 and 2.5.25 inclusive, system is vulnerable.

Check Version:

Check struts2-core JAR file version or examine web.xml/struts.xml configuration

Verify Fix Applied:

Verify Struts version is 2.5.26 or later. Test application functionality and monitor for any OGNL evaluation issues.

📡 Detection & Monitoring

Log Indicators:

Unusual OGNL evaluation errors in application logs
Suspicious parameter values containing ${, #, or @ symbols
Unexpected Java class loading or method invocation

Network Indicators:

HTTP requests with OGNL expressions in parameters
Unusual outbound connections from application server
Exploit kit traffic patterns

SIEM Query:

source="app_logs" AND ("OGNL" OR "${*" OR "#*" OR "@*")

📊 Metadata

CVE ID: CVE-2020-17530

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-917

Published: December 11, 2020

Last Updated: October 27, 2025

🔗 References

http://jvn.jp/en/jp/JVN43969166/index.html Third Party Advisory
http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html Third Party Advisory,VDB Entry
http://www.openwall.com/lists/oss-security/2022/04/12/6 Mailing List,Third Party Advisory
https://cwiki.apache.org/confluence/display/WW/S2-061 Vendor Advisory
https://security.netapp.com/advisory/ntap-20210115-0005/ Patch,Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Patch,Third Party Advisory
http://jvn.jp/en/jp/JVN43969166/index.html Third Party Advisory
http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html Third Party Advisory,VDB Entry
http://www.openwall.com/lists/oss-security/2022/04/12/6 Mailing List,Third Party Advisory
https://cwiki.apache.org/confluence/display/WW/S2-061 Vendor Advisory
https://security.netapp.com/advisory/ntap-20210115-0005/ Patch,Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Patch,Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-17530 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-17530, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Business Intelligence by Oracle

Business Intelligence by Oracle

Communications Diameter Intelligence Hub by Oracle

Communications Diameter Intelligence Hub by Oracle

Communications Diameter Intelligence Hub by Oracle

Communications Diameter Intelligence Hub by Oracle

Communications Policy Management by Oracle

Communications Pricing Design Center by Oracle

Financial Services Data Integration Hub by Oracle

Financial Services Data Integration Hub by Oracle

Hospitality Opera 5 by Oracle

Mysql Enterprise Monitor by Oracle

Struts by Apache

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Input Validation Filter

WAF Rule

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities