add cve/apache-Struts/2019/yaml/CVE-2019-0230.yaml.

Signed-off-by: fanyunpeng <cn_2023@buaa.edu.cn>
2023-03-16 09:13:06 +00:00 · 2023-03-16 09:13:06 +00:00 · 218ea68c1b
parent 6a382dcea0
commit 218ea68c1b
1 changed files with 24 additions and 0 deletions
--- a/cve/apache-Struts/2019/yaml/CVE-2019-0230.yaml
+++ b/cve/apache-Struts/2019/yaml/CVE-2019-0230.yaml
@ -0,0 +1,24 @@
+id: CVE-2019-0230
+source: https://www.exploit-db.com/exploits/49068
+info:
+  name: Apache Struts是一个用于构建基于Java的web应用程序的模型-视图-控制器(MVC)框架。
+  severity: critical
+  description:
+    Apache Struts框架, 会对某些特定的标签的属性值，比如id属性进行二次解析，所以攻击者可以传递将在呈现标签属性时再次解析OGNL表达式，造成OGNL表达式注入。从而可能造成远程执行代码。
+  scope-of-influence:
+    Struts 2.0.0 - Struts 2.5.20
+  reference:
+    - http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html
+    - https://cwiki.apache.org/confluence/display/ww/s2-059
+    - http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html
+    - https://launchpad.support.sap.com/#/notes/2982840
+    - https://www.oracle.com/security-alerts/cpuApr2021.html
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2019-0230
+    cwe-id: CWE-1321
+    cnvd-id: None
+    kve-id: None
+  tags: 
+    - 远程命令执行