Apache released patches for some of its products.

Apache Tapestry — CVE-2020-17531

Description:

Apache Tapestry is prone to a code execution vulnerability. The vulnerability caused due to unsafe deserialization in the sp parameter.

Moreover, An unauthenticated remote attacker can exploit this vulnerability by sending specially-crafted input.

However, Successful exploitation can enable an attacker to execute arbitrary code on the system.

Vulnerable Platforms:

The affected versions: Apache Tapestry 4

Fixed Version:

Highly recommended to Users of Apache Tapestry 4 should upgrade to the latest Apache Tapestry 5 version.

Note: Apache Tapestry 4 reached the end of life in 2008 and no update to address this issue will be released.

Severity :	Critical
Vulnerability Rating: CVSS v3.0
Base Score :	9.8
Base Metrics :	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Rating: CVSS v2.0
Base Score :	10
Base Metrics :	AV:N/AC:L/AU:N/C:C/I:C/A:C

Apache Struts — CVE-2020-17530

Description:

A code execution vulnerability was found in Apache Struts. The vulnerability is caused due to a forced double OGNL evaluation on raw user input in tag attributes.

Also, By sending specially crafted data an unauthenticated remote attacker can exploit this vulnerability.

However, Successful exploitation can enable an attacker to execute arbitrary code on the system.

Vulnerable Platforms:

Apache Struts 2.0.0 – Struts 2.5.25

Fixed Version:

Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to Struts 2.5.26 which checks if expression evaluation won’t lead to the double evaluation.

Severity :	High
Vulnerability Rating: CVSS v3.0
Base Score :	8.1
Base Metrics :	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Rating: CVSS v2.0
Base Score :	7.6
Base Metrics :	AV:N/AC:H/AU:N/C:C/I:C/A:C

Follow Us on: Twitter, Instagram, Facebook to get latest security news!

About the Author

FHN

Administrator

FirstHackersNews- Identifies Security

Visit Website View All Posts