Cyber Resilience

CVE-2020-17530

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 11 December 2020

Published
11 December 2020
Modified
27 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9437 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-17530 is a critical-severity Expression Language Injection (CWE-917) vulnerability in Oracle Communications Diameter Intelligence Hub. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).

Deeper analysis

The vulnerability is forced OGNL evaluation when evaluated on raw user input in tag attributes, which may lead to remote code execution. It affects Apache Struts versions 2.0.0 through 2.5.25 and is associated with CWE-917.

An attacker can exploit the issue remotely over a network without authentication or user interaction, as reflected in the CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), resulting in arbitrary code execution with full impact on confidentiality, integrity, and availability.

Advisories and additional details are referenced at https://cwiki.apache.org/confluence/display/WW/S2-061 along with JVN, Packet Storm, OpenWall, and NetApp security notices.

EU & UK References

Vulnerability details

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
struts
2.0.0 — 2.5.30
oracle
business intelligence
12.2.1.3.0, 12.2.1.4.0
oracle
communications diameter intelligence hub
8.0.0, 8.1.0, 8.2.0, 8.2.3
oracle
communications policy management
12.5.0
oracle
communications pricing design center
12.0.0.3.0
oracle
financial services data integration hub
8.0.3, 8.0.6
oracle
hospitality opera 5
5.6
oracle
mysql enterprise monitor
8.0.23

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and neutralization of untrusted input before it reaches expression evaluation (OGNL), blocking the exact injection path in Struts tag attributes.

prevent

Enforces strict information-flow rules on user-supplied data so that raw input cannot be interpreted as executable OGNL expressions.

prevent

Restricts the web-application runtime to only the functionality needed, disabling or sandboxing dynamic expression evaluation features that enable the RCE.

References