CVE-2020-17530

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts...

Basic Information

CVE State: PUBLISHED
Reserved Date: August 12, 2020
Published Date: December 11, 2020
Last Updated: October 21, 2025
Vendor: Apache Software Foundation
Product: Apache Struts
Description: Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
Tags

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2021-11-03 00:00:00 UTC) Source

References

https://cwiki.apache.org/confluence/display/WW/S2-061 http://jvn.jp/en/jp/JVN43969166/index.html https://www.oracle.com/security-alerts/cpujan2021.html http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html https://security.netapp.com/advisory/ntap-20210115-0005/ https://www.oracle.com/security-alerts/cpuApr2021.html https://www.oracle.com//security-alerts/cpujul2021.html https://www.oracle.com/security-alerts/cpuoct2021.html https://www.oracle.com/security-alerts/cpujan2022.html http://www.openwall.com/lists/oss-security/2022/04/12/6 https://www.oracle.com/security-alerts/cpuapr2022.html

Known Exploited Vulnerability Information

Source	Added Date
CISA	2021-11-03 00:00:00 UTC
CISA	2021-11-03 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts2_multi_eval_ognl.rb	2025-04-28 15:02:23 UTC
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-17530.yaml	2025-04-25 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

struts2_multi_eval_ognl

Type: metasploit • Created: Unknown

Metasploit module for CVE-2020-17530

nth347/CVE-2020-17530

Type: github • Created: 2023-08-04 03:00:28 UTC • Stars: 0

Vulnerable environment of CVE-2020-17530 (S2-061) for testing

keyuan15/CVE-2020-17530

Type: github • Created: 2023-04-02 13:20:42 UTC • Stars: 0

Struts2 S2-061 远程命令执行漏洞（CVE-2020-17530）

uzzzval/CVE-2020-17530

Type: github • Created: 2021-01-07 14:24:08 UTC • Stars: 5

CyborgSecurity/CVE-2020-17530

Type: github • Created: 2020-12-30 17:23:20 UTC • Stars: 4

fengziHK/CVE-2020-17530-strust2-061

Type: github • Created: 2020-12-14 06:54:57 UTC • Stars: 6

CVE-2020-17530-strust2-061

Al1ex/CVE-2020-17530

Type: github • Created: 2020-12-13 11:02:15 UTC • Stars: 29

S2-061 CVE-2020-17530

wuzuowei/CVE-2020-17530

Type: github • Created: 2020-12-10 17:42:37 UTC • Stars: 48

S2-061 的payload，以及对应简单的PoC/Exp

ka1n4t/CVE-2020-17530

Type: github • Created: 2020-12-09 09:53:08 UTC • Stars: 65

phil-fly/CVE-2020-17530

Type: github • Created: 2020-12-08 11:10:46 UTC • Stars: 4

hack，poc

Timeline

CVE ID Reserved

August 12, 2020
CVE Published to Public

December 11, 2020
Added to KEVIntel

November 03, 2021
Added to KEVIntel

November 03, 2021
Detected by Nuclei

April 25, 2025
Detected by Metasploit

April 28, 2025