struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: Struts 2.3.X Impacted by S2-055?
Date Sun, 10 Dec 2017 17:25:51 GMT
2017-12-08 19:11 GMT+01:00  <infosec@unixcert.net>:
> It looks like the Jackson-databind issue is only associated with 2.5.X
> versions of Struts. I just want to confirm that 2.3.X versions are not.

Struts 2.3.x series is using a different version of the Jackson
library [1] and we have no knowledge if that version is vulnerable as
well. Also, 2.3.x series is using json-lib as a default JSON handler
implementation which means it's impacted by [2]

[1] https://github.com/apache/struts/blob/support-2-3/plugins/rest/pom.xml#L52
[2] https://cwiki.apache.org/confluence/display/WW/S2-054


Regards
-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message