CVE-2019-0230
Description
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Struts 2.0.0 to 2.5.20 allows remote code execution via forced double OGNL evaluation on raw user input in tag attributes.
Vulnerability
CVE-2019-0230 is a remote code execution vulnerability in Apache Struts 2 that affects versions 2.0.0 through 2.5.20. The root cause is a forced double evaluation of OGNL (Object-Graph Navigation Language) expressions when they are assigned to certain tag attributes, such as id [3]. When the framework performs this double evaluation on raw, unvalidated user input, an attacker can inject malicious OGNL expressions that get executed server-side [3].
Exploitation
Exploitation is possible when an attacker can control a value that is used in a Struts tag attribute that supports forced OGNL evaluation (using the %{...} or ${...} syntax) and that value references unvalidated input [3]. The attacker crafts a request containing an OGNL expression as the value for a parameter that ultimately is placed into a tag attribute like id [3]. When the tag is rendered, the expression is evaluated twice, leading to code execution [3]. No authentication is required, but the attacker must be able to influence a specific input that ends up in a vulnerable tag attribute.
Impact
Successful exploitation allows an attacker to execute arbitrary Java code on the server with the privileges of the web application, potentially leading to full server compromise, data theft, or other malicious actions [1][3].
Mitigation
The vulnerability is addressed in Apache Struts 2.5.22. Users should upgrade to this version or later [3]. As a workaround, avoid using forced OGNL evaluation (%{...} or ${...}) in tag attributes unless absolutely necessary, and ensure all user-supplied values are properly validated before being used in such expressions [3]. The issue is similar to previous Struts vulnerabilities such as S2-029 and S2-036 [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.struts:struts2-coreMaven | >= 2.0.0, < 2.5.22 | 2.5.22 |
Affected products
2- Apache/Strutsdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
13- github.com/advisories/GHSA-wp4h-pvgw-5727ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-0230ghsaADVISORY
- packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.htmlghsax_refsource_MISCWEB
- packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.htmlghsax_refsource_MISCWEB
- cwiki.apache.org/confluence/display/ww/s2-059ghsax_refsource_MISCWEB
- launchpad.support.sap.comghsax_refsource_MISCWEB
- lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3EghsaWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.