[
https://issues.apache.org/jira/browse/EMPIREDB-375?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17494618#comment-17494618
]
PJ Fanning commented on EMPIREDB-375:
-------------------------------------
Thanks Rainer for the response. Would it be possible to drop the struts
component from future releases of v2? CVE-2017-12611 is one of the most
notorious security issues and to have ASF products still shipped with jars that
have vulnerability does not feel great.
> upgrade struts version
> ----------------------
>
> Key: EMPIREDB-375
> URL: https://issues.apache.org/jira/browse/EMPIREDB-375
> Project: Empire-DB
> Issue Type: Improvement
> Affects Versions: empire-db-2.5.2
> Reporter: PJ Fanning
> Priority: Major
>
> [https://github.com/apache/empire-db/pull/8]
> also v2.2.1 in
> [https://github.com/apache/empire-db/blob/version2-legacy/pom.xml]
> master branch no longer seems to have struts at all but is version 2 is still
> being released - see
> [https://lists.apache.org/thread/3fh7djnh62o24xzvbhcqwbnsc5nd8mkx]
> struts v2.2.1 is from 2010 and has 4 CVEs open against it -
> [https://mvnrepository.com/artifact/org.apache.struts/struts2-core]
> One of the struts CVEs is the one that led to the Equifax hack -
> [https://www.synopsys.com/blogs/software-security/apache-struts-remote-code-execution-vulnerabilities/#:~:text=Apache%20published%20details%20of%20CVE,day%20Equifax%20announced%20the%20breach.&text=According%20to%20an%20Equifax%20statement,the%20attacker%20from%20mid%2DMay].
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
