struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <>
Subject Re: [EXTERNAL] Re: Question Regarding Recent Security Announcement
Date Mon, 05 Nov 2018 13:35:22 GMT
pon., 5 lis 2018 o 13:33 David Dillard <> napisał(a):
> Ok, that addresses one question, but still leaves one: why is it being recommended to
update File Upload NOW due to a possible DoS, when Struts has been using a version of File
Upload with no documented DoS issue for the last six releases???

> Or put another way, Struts 2.3.35 uses File Upload 1.3.2.  File Upload 1.3.2 currently
has no documented DoS issue.  Now, you're saying to update to File Upload 1.3.3 to fix a DoS
issue.  Why?

We announced the same few months ago [1] and there was just one
release (Struts 2.3.35) that missed the thing [2]. And we won't be
releasing a new version just because some of dependencies was
discovered to be vulnerable. And yes, we missed that the Struts 2.3.35
and Struts 2.3.36 are using vulnerable library.

There is a known vulnerability that affects 1.3.2 and prior versions
of commons-fileupload [3]. It's a RCE attack not a DoS.


+ 48 606 323 122

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message