Description
Apache Roller is a full-featured, multi-user and group-blog server suitable for blog sites large and small. It runs as a Java web application that should be able to run on most any Java EE server and relational database.
Roller version 5 earlier than 5.0.2 and all of version 4 are vulnerable to a pre-authenticated OGNL injection that can result in remote code execution (RCE).
Remediation
Upgrade to the latest version of Apache Roller (the problem was fixed in version 5.0.2).
References
Related Vulnerabilities
Squid Improper Input Validation Vulnerability (CVE-2020-24606)
Ruby Improper Input Validation Vulnerability (CVE-2009-5147)
WordPress 2.6.1 Lost Password SQL Column Truncation Unauthorized Access Vulnerability (0.71 - 2.6.1)
WordPress Plugin Category Grid View Gallery TimThumb Arbitrary File Upload (0.1.1)