struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Fischer <>
Subject Is Struts affected by the security vulnerability S2-018?
Date Wed, 11 Dec 2013 14:18:33 GMT
Dear group,

I hope that you can help to clear up my confusion about the current
status of Struts with regards to the security vulnerability
S2-018 (see [1]).

So far, it was my understanding that S2-018 is fixed with the
release. And the release notes still suggest that this is the case (see
[2]). Also, in [3] the vulnerability is categorized as only affecting
Struts versions up to

But now I found that S2-018 is listed as vulnerability affecting Struts (see [4]). Also, the description of S2-018 currently states the
following: "In Struts 2 before, under certain conditions this
can be used to bypass security constraints."

I am aware that there are backward compatibility issues with the action:
prefix not working with Struts However, some of the projects I
am administrating (and which are running Struts do not make
use of that feature.

My question is: do I need to update those systems in order not to be
affected by a security vulnerability? Or is S2-018 merely listed as
affecting Struts because of the backward compatibility issue,
but the security issue is fixed?

Many tanks in advance,





To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message