0x01 Vulnerability Introduction
Apache officially issued a security notice, disclosing a remote code execution vulnerability in its Struts2 framework. Vulnerability number CVE-2021-31805.
Official description, due to incomplete fixes to CVE-2020-17530 (S2-061). Attributes that cause some tags can still execute OGNL expressions, which can eventually lead to remote arbitrary code execution.
0x02 range of influence
0x03 Disposal measures
Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to Struts 2.5.30 or later to check that expression evaluation does not result in double evaluation.
Reference link: https://cwiki.apache.org/confluence/display/WW/S2-062