Spectrum Vulnerability CVE-2020-17530: OneClick struts2
Article ID: 211867
Updated On:
Products
CA Spectrum
Issue/Introduction
The security scanner reported that Spectrum OneClick server delivers an old implementation of the struts2 library, which is affected by https://nvd.nist.gov/vuln/detail/CVE-2020-17530
CVE-2020-17530 Detail
Current Description
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
Environment
Release : 20.2.5, 20.2.7
Component : Spectrum Core / SpectroSERVER
Resolution
The reported vulnerability CVE-2020-17530 should be fixed with Struts 2.5.26 that is in the Spectrum pipeline and will be available in a next Spectrum 21.2.1 release.
For Spectrum 10.4.2.2 patch 10.04.02.02.D153 which upgrades the Struts to 2.5.26 was released.
Feedback
Yes
No
Powered by
