CVE-2019-0230 (High) detected in struts2-core-2.3.31.jar

[mend-for-github-com]

CVE-2019-0230 - High Severity Vulnerability

Vulnerable Library - struts2-core-2.3.31.jar

Apache Struts 2

Path to dependency file: ksa/ksa-web-root/ksa-statistics-web/pom.xml

Path to vulnerable library: canner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/struts2-core-2.3.31.jar,canner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,canner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,canner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,canner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,canner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,canner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,canner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar

Dependency Hierarchy:

• ❌ struts2-core-2.3.31.jar (Vulnerable Library)

Found in HEAD commit: f9c447c914224520fcff8000f77df4b5d77692a8

Found in base branch: master

Vulnerability Details

Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

Publish Date: 2020-09-14

URL: CVE-2019-0230

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cwiki.apache.org/confluence/display/ww/s2-059

Release Date: 2020-07-21

Fix Resolution: org.apache.struts:struts2-core:2.5.22

---

⛑️ Automatic Remediation is available for this issue