I have no idea why they included 6.8.0, the original CVE registered and reported by me has "<= 6.7.0" as version range. I asked [email protected] for support.
pon., 8 gru 2025 o 10:10 Britta Katzenbach <[email protected]> napisał(a): > > Hi Łukasz, > > we updated to 6.8.0, but we still get the notification about the > vulnerability CVE-2025-64775 in the owasp dependency check: > > [ [1;31mERROR [m] [1;31mstruts2-core-6.8.0.jar > (pkg:maven/org.apache.struts/[email protected], > cpe:2.3:a:apache:struts:6.8.0:*:*:*:*:*:*:*): CVE-2025-64775(7.5) [m > > Thank you for looking into it again. > > Best regards, > > Britta > > Am 05.12.25 um 08:50 schrieb Lukasz Lenart: > > pt., 5 gru 2025 o 08:35 David Brunstein <[email protected]> napisał(a): > > S2-068 > https://cwiki.apache.org/confluence/display/WW/S2-068 > > Under the Solution section, the page stands "Upgrade to Struts 6.8.0", should > it be updated to "Upgrade to Struts 6.7.0"? > > No, this is fine, CVE is addressed in 6.8.0 or 7.1.1, the only missing > point is: 6.7.4 is also affected - I already updated the bulletin > > Cheers > Łukasz > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- > Britta Katzenbach > > _____________________________________________________ > e-Mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
