RE: CVE-2019-0233 is Struts v1 vulnerable?
Thanks everyone for the quick responses. Regards, Rayne IBM Watson Financial Services 10925 David Taylor Drive Charlotte, NC 28262-1040, US MG82/202 (704) 501-0331 From: Dave Newton To: Struts Users Mailing List Date: 08/21/2020 04:30 PM Subject:[EXTERNAL] Re: CVE-2019-0233 is Struts v1 vulnerable? You’d need to create a variation of one of the PoCs, you can likely search around for one. That said—I don’t see how S1 could be vulnerable since it’s a completely different mechanism. In general, no S2 vulnerabilities will apply to S1 *ever* unless it’s explicitly related to a dependent library—there’s no real relationship between S1 and S2. On Fri, Aug 21, 2020 at 15:39 Rayne Anderson wrote: > You are probably correct on due to the different frameworks. If I do need > > to test Struts v1 where do I obtain the test instructions from? I could > > not find them when searching earlier. > > > > Regards, Rayne > > > > IBM Watson Financial Services > > 10925 David Taylor Drive > > Charlotte, NC 28262-1040, US > > MG82/202 > > (704) 501-0331 > > > > > > > > > > From: Lukasz Lenart > > To: Struts Users Mailing List > > Date: 08/21/2020 05:57 AM > > Subject:[EXTERNAL] Re: CVE-2019-0233 is Struts v1 vulnerable? > > > > > > > > pt., 21 sie 2020 o 11:30 Rayne Anderson napisał(a): > > > > > > I know that Apache Struts File upload CVE-2019-0233 applies to Struts > > v2. > > > Does the CVE apply to Struts v1.3.8? > > > > I would say no as these are totally different frameworks but we didn't > > test Struts 1.3.8 against this vulnerability as Struts 1 has reached > > End-of-Life a few years ago. > > > > > > Regards > > -- > > Łukasz > > + 48 606 323 122 > > http://www.lenart.org.pl/ > > > > > > - > > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > > For additional commands, e-mail: user-h...@struts.apache.org > > > > > > > > > > > > -- em: davelnew...@gmail.com mo: 908-380-8699 tw: @dave_newton < https://twitter.com/dave_newton > li: dave-newton < https://www.linkedin.com/in/dave-newton/ > gh: davelnewton < https://github.com/davelnewton > so: Dave Newton < http://stackoverflow.com/users/438992/dave-newton > bl[0]: Bucky Bits < http://buckybits.blogspot.com/ > bl[1]: Maker's End Blog < https://blog.makersend.com > sk: davelnewton_skype
Re: CVE-2019-0233 is Struts v1 vulnerable?
You’d need to create a variation of one of the PoCs, you can likely search around for one. That said—I don’t see how S1 could be vulnerable since it’s a completely different mechanism. In general, no S2 vulnerabilities will apply to S1 *ever* unless it’s explicitly related to a dependent library—there’s no real relationship between S1 and S2. On Fri, Aug 21, 2020 at 15:39 Rayne Anderson wrote: > You are probably correct on due to the different frameworks. If I do need > > to test Struts v1 where do I obtain the test instructions from? I could > > not find them when searching earlier. > > > > Regards, Rayne > > > > IBM Watson Financial Services > > 10925 David Taylor Drive > > Charlotte, NC 28262-1040, US > > MG82/202 > > (704) 501-0331 > > > > > > > > > > From: Lukasz Lenart > > To: Struts Users Mailing List > > Date: 08/21/2020 05:57 AM > > Subject:[EXTERNAL] Re: CVE-2019-0233 is Struts v1 vulnerable? > > > > > > > > pt., 21 sie 2020 o 11:30 Rayne Anderson napisał(a): > > > > > > I know that Apache Struts File upload CVE-2019-0233 applies to Struts > > v2. > > > Does the CVE apply to Struts v1.3.8? > > > > I would say no as these are totally different frameworks but we didn't > > test Struts 1.3.8 against this vulnerability as Struts 1 has reached > > End-of-Life a few years ago. > > > > > > Regards > > -- > > Łukasz > > + 48 606 323 122 > > http://www.lenart.org.pl/ > > > > > > - > > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > > For additional commands, e-mail: user-h...@struts.apache.org > > > > > > > > > > > > -- em: davelnew...@gmail.com mo: 908-380-8699 tw: @dave_newton <https://twitter.com/dave_newton> li: dave-newton <https://www.linkedin.com/in/dave-newton/> gh: davelnewton <https://github.com/davelnewton> so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton> bl[0]: Bucky Bits <http://buckybits.blogspot.com/> bl[1]: Maker's End Blog <https://blog.makersend.com> sk: davelnewton_skype
RE: CVE-2019-0233 is Struts v1 vulnerable?
You are probably correct on due to the different frameworks. If I do need to test Struts v1 where do I obtain the test instructions from? I could not find them when searching earlier. Regards, Rayne IBM Watson Financial Services 10925 David Taylor Drive Charlotte, NC 28262-1040, US MG82/202 (704) 501-0331 From: Lukasz Lenart To: Struts Users Mailing List Date: 08/21/2020 05:57 AM Subject:[EXTERNAL] Re: CVE-2019-0233 is Struts v1 vulnerable? pt., 21 sie 2020 o 11:30 Rayne Anderson napisał(a): > > I know that Apache Struts File upload CVE-2019-0233 applies to Struts v2. > Does the CVE apply to Struts v1.3.8? I would say no as these are totally different frameworks but we didn't test Struts 1.3.8 against this vulnerability as Struts 1 has reached End-of-Life a few years ago. Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: CVE-2019-0233 is Struts v1 vulnerable?
pt., 21 sie 2020 o 11:30 Rayne Anderson napisał(a): > > I know that Apache Struts File upload CVE-2019-0233 applies to Struts v2. > Does the CVE apply to Struts v1.3.8? I would say no as these are totally different frameworks but we didn't test Struts 1.3.8 against this vulnerability as Struts 1 has reached End-of-Life a few years ago. Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
CVE-2019-0233 is Struts v1 vulnerable?
I know that Apache Struts File upload CVE-2019-0233 applies to Struts v2. Does the CVE apply to Struts v1.3.8? If no one knows the answer I can find no explicit details of how to test for the vulnerability or what the code changes where made in Struts 2. How do I obtain this information? I have tried googling, searching GitHub issues, etc. Regards, Rayne IBM Watson Financial Services 10925 David Taylor Drive Charlotte, NC 28262-1040, US MG82/202 (704) 501-0331