ognl-injection
Safeguard articles tagged "ognl-injection" — guides, analysis, and best practices for software supply chain and application security.
8 articles
Confluence OGNL Injection (CVE-2022-26134) Explained
CVE-2022-26134 is a CVSS 9.8 unauthenticated OGNL injection in Atlassian Confluence, exploited as a zero-day before the patch. Here is how the flaw works and which versions fixed it.
Confluence CVE-2021-26084 Explained: The Webwork OGNL Injection RCE
CVE-2021-26084 is an unauthenticated OGNL injection in Confluence Server and Data Center that allows remote code execution, rated CVSS 9.8. Here is the timeline, root cause, detection, and patched versions.
Apache Struts remote code execution CVE history
A decade of Apache Struts RCEs — from Equifax's CVE-2017-5638 to 2024's file-upload bypass — traced through CVSS, EPSS, KEV, and fixes.
Apache Struts2 RCE behind the Equifax breach (CVE-2017-5638)
CVE-2017-5638, the Apache Struts2 RCE behind the Equifax breach, exposed 147.9M records. Here's the flaw, timeline, and how to remediate it.
Struts2 OGNL injection RCE (CVE-2018-11776)
CVE-2018-11776 lets remote attackers achieve full RCE in Apache Struts2 via OGNL injection in URL namespaces. Impact, timeline, and fixes inside.
CVE-2018-11776: Remote code execution in Apache Struts2 v...
CVE-2018-11776 lets attackers achieve unauthenticated RCE in Apache Struts2 via crafted namespace/OGNL injection. Affected versions, timeline, and fixes.
CVE-2019-0230: OGNL remote code execution in Apache Struts2
CVE-2019-0230 lets attackers chain forced double OGNL evaluation in Struts2 tag attributes into remote code execution. Here's what's affected, the CVSS/EPSS context, and how to remediate it.
CVE-2020-17530: Forced OGNL evaluation RCE in Apache Struts2
CVE-2020-17530 lets attackers achieve unauthenticated RCE in Apache Struts2 via forced OGNL evaluation. Here's the scope, timeline, and how to remediate it.