Thanks for the quick reply.  It looked like Struts 2 was a rewrite so I 
assumed it was very unlikely that the same vulnerability existed in Struts 
1, but I needed to ask.


From:   Dave Newton <davelnew...@gmail.com>
To:     Struts Users Mailing List <user@struts.apache.org>
Date:   09/03/2015 05:01 PM
Subject:        Re: Is the vulnerability documented in CVE-2015-5169 also 
applicable to Struts 1?

There's no such thing as `devMode` in Struts 1.

Struts 1 vulnerabilities would be in Struts 1 announcements, although with
the EOL, announcements and fixes may never happen.

Struts 1 and Struts 2 have essentially zero in common.


On Thu, Sep 3, 2015 at 4:41 PM, David Gawron <dgaw...@us.ibm.com> wrote:

> The security bulletin for CVE-2015-5169 (
> https://struts.apache.org/docs/s2-025.html) only mentions Struts 2. 
> know if the vulnerability also exists in Struts 1 in some form?  I 
> Struts 1.x are no longer supported and that is why the bulletin doesn't
> cover those releases.  I grabbed the 1.3.10 code and searched for the
> devMode property (that property appears to be involved in the
> vulnerability) and did not find any refs.  Searching for that property 
> 2.x yields lots of references and leads me to believe the devMode
> functionality was added in Struts 2.  If so, then that is good but not
> conclusive evidence the vulnerability is not in Struts 1.  I'd 
> hearing  any info others have on CVE-2015-5169 and Struts 1.
> -Dave-

e: davelnew...@gmail.com
m: 908-380-8699
s: davelnewton_skype
t: @dave_newton <https://twitter.com/dave_newton>
b: Bucky Bits <http://buckybits.blogspot.com/>
g: davelnewton <https://github.com/davelnewton>
so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>

Reply via email to