Description
The Apache Struts frameworks when forced, performs double evaluation of attributes' values assigned to certain tags so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered. Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
Remediation
Adding a proper validation of each value that's coming in and it's used in tag's attributes.
Don't use forced evaluation of an attribute other than value using %{...} syntax unless really needed for a valid use-case.
By upgrading to Struts 2.3.28, possible malicious effects of forced double evaluation are limited.
References
Related Vulnerabilities
WordPress Plugin CM Download Manager Code Injection (2.0.3)
Moveable Type 4.x unauthenticated remote command execution
VMware Workspace ONE Access SSTI (CVE-2022-22954)
Microsoft Exchange Server Server-Side Request Forgery (SSRF) vulnerability
Unauthenticated OGNL injection in Confluence Server and Data Center