> Hi, > > As Apache Struts 1.x is pretty old and it suffers from many security > vulnerabilities, I decided to use a recent version of Apache Struts 2.x > (Struts 2.3.24.1). However, I find that struts-core-1.3.10 jar is present > in struts 2.x. Can you please let me know if the presence of this jar makes > Struts 2.x vulnerable to security issues such as CVE-2012-1007 > <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1007>. > > Thanks and Best Regards, > Anu
Do you use maven or some other tool to manage dependencies? Or did you download one of the zip files? Struts2 has many plugins which have their own dependencies. The zip files contain that all. But for most apps it is not necessary. It is highly recommended to use dependency management to make sure you really get just those jars that you need. Regards, Christoph This Email was scanned by Sophos Anti Virus