Number: AV22-204
Date: 13 April 2022
Updated: 22 April 2022
On 12 April 2022 Apache published a Security Advisory to address a critical vulnerability in the following product:
- Apache Struts – versions 2.0.0 to 2.5.29
Exploitation of this vulnerability could lead to remote code execution.
Update 1
On 20 April 2022, this vulnerability was re-evaluated to a CVSS 9.8 in NIST NVD (National Institute of Standards and Technology National Vulnerability Database). In addition, an alleged proof of concept is available. The Cyber Centre would like to highlight that exposure to this vulnerability requires implementations of forced OGNL (Object Graph Navigation Language) evaluation in the tag's attributes based on untrusted/unvalidated user input, which is not recommended by Apache.
The Cyber Centre encourages users and administrators to review the provided web link and apply the necessary update.