Spectrum Vulnerability CVE-2020-17530: OneClick struts2

book

Article ID: 211867

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

The security scanner reported that Spectrum OneClick server delivers an old implementation of the struts2 library, which is affected by https://nvd.nist.gov/vuln/detail/CVE-2020-17530
 

CVE-2020-17530 Detail

Current Description

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

 

Environment

Release : 20.2.5, 20.2.7

Component : Spectrum Core / SpectroSERVER

Resolution

The reported vulnerability CVE-2020-17530 should be fixed with Struts 2.5.26 that is in the Spectrum pipeline and will be available in a next  Spectrum 21.2.1 release.

For Spectrum 10.4.2.2 patch 10.04.02.02.D153 which upgrades the Struts to 2.5.26 was released.