Struts allows developers to use “forced double evaluation” for tag attributes. Using this feature with user input allows malicious OGNL (Object-Graph Navigation Language) expressions to be injected by an external attacker. Depending on the injected payload, this can result in remote code execution.
In their recent announcement, Apache said “we continue to urge developers building upon Struts 2 to not use %{…} or ${…} syntax referencing unvalidated user modifiable input in tag attributes, since this is the ultimate fix for this class of vulnerabilities.”
There is public exploit code available for this vulnerability.
This issue was fixed in Apache Struts 2.5.22, which was released in November 2019.
Vulnerability Alert 