struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Fischer <Markus.Fisc...@knipp.de>
Subject Is Struts 2.3.15.2 affected by the security vulnerability S2-018?
Date Wed, 11 Dec 2013 14:18:33 GMT
Dear group,

I hope that you can help to clear up my confusion about the current
status of Struts 2.3.15.2 with regards to the security vulnerability
S2-018 (see [1]).

So far, it was my understanding that S2-018 is fixed with the 2.3.15.2
release. And the release notes still suggest that this is the case (see
[2]). Also, in [3] the vulnerability is categorized as only affecting
Struts versions up to 2.3.15.1.

But now I found that S2-018 is listed as vulnerability affecting Struts
2.3.15.2 (see [4]). Also, the description of S2-018 currently states the
following: "In Struts 2 before 2.3.15.3, under certain conditions this
can be used to bypass security constraints."

I am aware that there are backward compatibility issues with the action:
prefix not working with Struts 2.3.15.2. However, some of the projects I
am administrating (and which are running Struts 2.3.15.2) do not make
use of that feature.

My question is: do I need to update those systems in order not to be
affected by a security vulnerability? Or is S2-018 merely listed as
affecting Struts 2.3.15.2 because of the backward compatibility issue,
but the security issue is fixed?

Many tanks in advance,
Markus

[1] http://struts.apache.org/development/2.x/docs/s2-018.html

[2] http://struts.apache.org/development/2.x/docs/version-notes-23152.html

[3] http://www.cvedetails.com/cve/CVE-2013-4310/

[4] http://struts.apache.org/downloads.html


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message