{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42890?format=json","vulnerability_id":"VCID-dbzr-zyeu-73g8","summary":"Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')\nThe fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.","aliases":[{"alias":"CVE-2021-31805"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61330?format=json","purl":"pkg:maven/org.apache.struts/struts2-config-browser-plugin@2.5.30","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-config-browser-plugin@2.5.30"},{"url":"http://public2.vulnerablecode.io/api/packages/61354?format=json","purl":"pkg:maven/org.apache.struts/struts2-convention-plugin@2.5.30","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-convention-plugin@2.5.30"},{"url":"http://public2.vulnerablecode.io/api/packages/61365?format=json","purl":"pkg:maven/org.apache.struts/struts2-core@2.5.30","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.5.30"},{"url":"http://public2.vulnerablecode.io/api/packages/61358?format=json","purl":"pkg:maven/org.apache.struts/struts2-rest-plugin@2.5.30","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-rest-plugin@2.5.30"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61328?format=json","purl":"pkg:maven/org.apache.struts/struts2-config-browser-plugin@2.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-78xk-z9kk-cqge"},{"vulnerability":"VCID-dbzr-zyeu-73g8"},{"vulnerability":"VCID-mvdz-exud-3ybz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-config-browser-plugin@2.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/61329?format=json","purl":"pkg:maven/org.apache.struts/struts2-config-browser-plugin@2.5.29","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dbzr-zyeu-73g8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-config-browser-plugin@2.5.29"},{"url":"http://public2.vulnerablecode.io/api/packages/61352?format=json","purl":"pkg:maven/org.apache.struts/struts2-convention-plugin@2.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-78xk-z9kk-cqge"},{"vulnerability":"VCID-dbzr-zyeu-73g8"},{"vulnerability":"VCID-mvdz-exud-3ybz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-convention-plugin@2.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/61353?format=json","purl":"pkg:maven/org.apache.struts/struts2-convention-plugin@2.5.29","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dbzr-zyeu-73g8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-convention-plugin@2.5.29"},{"url":"http://public2.vulnerablecode.io/api/packages/52634?format=json","purl":"pkg:maven/org.apache.struts/struts2-core@2.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3bjt-18pc-vfe8"},{"vulnerability":"VCID-4bzw-ges2-d7ek"},{"vulnerability":"VCID-7hxh-btrk-skhg"},{"vulnerability":"VCID-8cmt-z8g9-duf2"},{"vulnerability":"VCID-9mn7-d2mm-uqay"},{"vulnerability":"VCID-dbzr-zyeu-73g8"},{"vulnerability":"VCID-gvwn-8r4r-47gm"},{"vulnerability":"VCID-mvdz-exud-3ybz"},{"vulnerability":"VCID-nztp-y8p8-cqc6"},{"vulnerability":"VCID-q2ad-khtm-nqdr"},{"vulnerability":"VCID-z1jy-4da2-tyhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/61364?format=json","purl":"pkg:maven/org.apache.struts/struts2-core@2.5.29","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dbzr-zyeu-73g8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.5.29"},{"url":"http://public2.vulnerablecode.io/api/packages/61356?format=json","purl":"pkg:maven/org.apache.struts/struts2-rest-plugin@2.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-78xk-z9kk-cqge"},{"vulnerability":"VCID-dbzr-zyeu-73g8"},{"vulnerability":"VCID-mvdz-exud-3ybz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-rest-plugin@2.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/61357?format=json","purl":"pkg:maven/org.apache.struts/struts2-rest-plugin@2.5.29","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dbzr-zyeu-73g8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-rest-plugin@2.5.29"},{"url":"http://public2.vulnerablecode.io/api/packages/61344?format=json","purl":"pkg:maven/org.apache.struts/struts2-struts1-plugin@2.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-78xk-z9kk-cqge"},{"vulnerability":"VCID-dbzr-zyeu-73g8"},{"vulnerability":"VCID-mvdz-exud-3ybz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-struts1-plugin@2.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/61345?format=json","purl":"pkg:maven/org.apache.struts/struts2-struts1-plugin@2.5.29","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dbzr-zyeu-73g8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-struts1-plugin@2.5.29"},{"url":"http://public2.vulnerablecode.io/api/packages/61347?format=json","purl":"pkg:maven/struts/struts@2.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-78xk-z9kk-cqge"},{"vulnerability":"VCID-dbzr-zyeu-73g8"},{"vulnerability":"VCID-mvdz-exud-3ybz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/struts/struts@2.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/61348?format=json","purl":"pkg:maven/struts/struts@2.5.29","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dbzr-zyeu-73g8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/struts/struts@2.5.29"}],"references":[{"reference_url":"https://cwiki.apache.org/confluence/display/WW/S2-062","reference_id":"","reference_type":"","scores":[],"url":"https://cwiki.apache.org/confluence/display/WW/S2-062"},{"reference_url":"https://security.netapp.com/advisory/ntap-20220420-0001/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20220420-0001/"},{"reference_url":"http://www.openwall.com/lists/oss-security/2022/04/12/6","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2022/04/12/6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-31805","reference_id":"CVE-2021-31805","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-31805"}],"weaknesses":[{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":917,"name":"Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')","description":"The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."}],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dbzr-zyeu-73g8"}