Back to KEVs

CVE-2020-17530

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts...

Basic Information

CVE State: PUBLISHED
Reserved Date: August 12, 2020
Published Date: December 11, 2020
Last Updated: February 06, 2025
Vendor: Apache Software Foundation
Product: Apache Struts
Description: Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

CVSS Scores

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2021-11-03 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2023-08-04 03:00:28 UTC) Source

References

https://cwiki.apache.org/confluence/display/WW/S2-061 http://jvn.jp/en/jp/JVN43969166/index.html https://www.oracle.com/security-alerts/cpujan2021.html http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html https://security.netapp.com/advisory/ntap-20210115-0005/ https://www.oracle.com/security-alerts/cpuApr2021.html https://www.oracle.com//security-alerts/cpujul2021.html https://www.oracle.com/security-alerts/cpuoct2021.html https://www.oracle.com/security-alerts/cpujan2022.html http://www.openwall.com/lists/oss-security/2022/04/12/6 https://www.oracle.com/security-alerts/cpuapr2022.html

Known Exploited Vulnerability Information

Source	Added Date
CISA	2021-11-03 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts2_multi_eval_ognl.rb	2025-04-29 11:01:23 UTC
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-17530.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

struts2_multi_eval_ognl

Type: metasploit • Created: Unknown

Metasploit module for CVE-2020-17530

nth347/CVE-2020-17530

Type: github • Created: 2023-08-04 03:00:28 UTC • Stars: 0

Vulnerable environment of CVE-2020-17530 (S2-061) for testing

keyuan15/CVE-2020-17530

Type: github • Created: 2023-04-02 13:20:42 UTC • Stars: 0

Struts2 S2-061 远程命令执行漏洞（CVE-2020-17530）

uzzzval/CVE-2020-17530

Type: github • Created: 2021-01-07 14:24:08 UTC • Stars: 5

CyborgSecurity/CVE-2020-17530

Type: github • Created: 2020-12-30 17:23:20 UTC • Stars: 4

fengziHK/CVE-2020-17530-strust2-061

Type: github • Created: 2020-12-14 06:54:57 UTC • Stars: 6

CVE-2020-17530-strust2-061

Al1ex/CVE-2020-17530

Type: github • Created: 2020-12-13 11:02:15 UTC • Stars: 29

S2-061 CVE-2020-17530

wuzuowei/CVE-2020-17530

Type: github • Created: 2020-12-10 17:42:37 UTC • Stars: 48

S2-061 的payload，以及对应简单的PoC/Exp

ka1n4t/CVE-2020-17530

Type: github • Created: 2020-12-09 09:53:08 UTC • Stars: 65

secpool2000/CVE-2020-17530

Type: github • Created: 2020-12-09 01:29:23 UTC • Stars: 1

Apache Struts2框架是一个用于开发Java EE网络应用程序的Web框架。Apache Struts于2020年12月08日披露 S2-061 Struts 远程代码执行漏洞（CVE-2020-17530），在使用某些tag等情况下可能存在OGNL表达式注入漏洞，从而造成远程代码执行，风险极大。提醒我校Apache Struts用户尽快采取安全措施阻止漏洞攻击。

phil-fly/CVE-2020-17530

Type: github • Created: 2020-12-08 11:10:46 UTC • Stars: 4

hack，poc