Re: CVE-2019-0233 is Struts v1 vulnerable?

2020-08-21 Thread Dave Newton 
You’d need to create a variation of one of the PoCs, you can likely search
around for one. That said—I don’t see how S1 could be vulnerable since it’s
a completely different mechanism. In general, no S2 vulnerabilities will
apply to S1 *ever* unless it’s explicitly related to a dependent
library—there’s no real relationship between S1 and S2.



On Fri, Aug 21, 2020 at 15:39 Rayne Anderson  wrote:

> You are probably correct on due to the different frameworks.  If I do need
>
> to test Struts v1 where do I obtain the test instructions from?  I could
>
> not find them when searching earlier.
>
>
>
> Regards, Rayne
>
>
>
> IBM Watson Financial Services
>
> 10925 David Taylor Drive
>
> Charlotte, NC 28262-1040, US
>
> MG82/202
>
> (704) 501-0331
>
>
>
>
>
>
>
>
>
> From:   Lukasz Lenart 
>
> To: Struts Users Mailing List 
>
> Date:   08/21/2020 05:57 AM
>
> Subject:[EXTERNAL] Re: CVE-2019-0233 is Struts v1 vulnerable?
>
>
>
>
>
>
>
> pt., 21 sie 2020 o 11:30 Rayne Anderson  napisał(a):
>
> >
>
> > I know that Apache Struts File upload CVE-2019-0233 applies to Struts
>
> v2.
>
> > Does the CVE apply to Struts v1.3.8?
>
>
>
> I would say no as these are totally different frameworks but we didn't
>
> test Struts 1.3.8 against this vulnerability as Struts 1 has reached
>
> End-of-Life a few years ago.
>
>
>
>
>
> Regards
>
> --
>
> Łukasz
>
> + 48 606 323 122
>
> http://www.lenart.org.pl/
>
>
>
>
>
> -
>
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
>
> For additional commands, e-mail: user-h...@struts.apache.org
>
>
>
>
>
>
>
>
>
>
>
> --
em: davelnew...@gmail.com
mo: 908-380-8699
tw: @dave_newton 
li: dave-newton 
gh: davelnewton 
so: Dave Newton 
bl[0]: Bucky Bits 
bl[1]: Maker's End Blog 
sk: davelnewton_skype

RE: CVE-2019-0233 is Struts v1 vulnerable?

2020-08-21 Thread Rayne Anderson 
You are probably correct on due to the different frameworks.  If I do need 
to test Struts v1 where do I obtain the test instructions from?  I could 
not find them when searching earlier.

Regards, Rayne

IBM Watson Financial Services
10925 David Taylor Drive
Charlotte, NC 28262-1040, US
MG82/202
(704) 501-0331




From:   Lukasz Lenart 
To: Struts Users Mailing List 
Date:   08/21/2020 05:57 AM
Subject:[EXTERNAL] Re: CVE-2019-0233 is Struts v1 vulnerable?



pt., 21 sie 2020 o 11:30 Rayne Anderson  napisał(a):
>
> I know that Apache Struts File upload CVE-2019-0233 applies to Struts 
v2.
> Does the CVE apply to Struts v1.3.8?

I would say no as these are totally different frameworks but we didn't
test Struts 1.3.8 against this vulnerability as Struts 1 has reached
End-of-Life a few years ago.


Regards
-- 
Łukasz
+ 48 606 323 122 
http://www.lenart.org.pl/ 


-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

RE: [ANN] [SECURITY] Announcing CVE-2019-0230 (Possible RCE) and CVE-2019-0233 (DoS) security issues

2020-08-21 Thread Oskar Frejd 
@struts devs - Please remove the **RESERVED** state and update the detailes for 
CVE-2019-0230 at http://cve.mitre.org to make it available at NVD so tools like 
OWASP depandency-check can act on this vuln, as we and I guess many others are 
using the tools to be able to act as fast as possible.

kind regads,
Oskar

Re: CVE-2019-0233 is Struts v1 vulnerable?

2020-08-21 Thread Lukasz Lenart 
pt., 21 sie 2020 o 11:30 Rayne Anderson  napisał(a):
>
> I know that Apache Struts File upload CVE-2019-0233 applies to Struts v2.
> Does the CVE apply to Struts v1.3.8?

I would say no as these are totally different frameworks but we didn't
test Struts 1.3.8 against this vulnerability as Struts 1 has reached
End-of-Life a few years ago.


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

CVE-2019-0233 is Struts v1 vulnerable?

2020-08-21 Thread Rayne Anderson 
I know that Apache Struts File upload CVE-2019-0233 applies to Struts v2. 
Does the CVE apply to Struts v1.3.8?

If no one knows the answer I can find no explicit details of how to test 
for the vulnerability or what the code changes where made in Struts 2. How 
do I obtain this information?

I have tried googling, searching GitHub issues, etc.

Regards, Rayne

IBM Watson Financial Services
10925 David Taylor Drive
Charlotte, NC 28262-1040, US
MG82/202
(704) 501-0331