Dave, Thanks for the quick reply. It looked like Struts 2 was a rewrite so I assumed it was very unlikely that the same vulnerability existed in Struts 1, but I needed to ask.
-Dave- From: Dave Newton <davelnew...@gmail.com> To: Struts Users Mailing List <user@struts.apache.org> Date: 09/03/2015 05:01 PM Subject: Re: Is the vulnerability documented in CVE-2015-5169 also applicable to Struts 1? There's no such thing as `devMode` in Struts 1. Struts 1 vulnerabilities would be in Struts 1 announcements, although with the EOL, announcements and fixes may never happen. Struts 1 and Struts 2 have essentially zero in common. Dave On Thu, Sep 3, 2015 at 4:41 PM, David Gawron <dgaw...@us.ibm.com> wrote: > The security bulletin for CVE-2015-5169 ( > https://struts.apache.org/docs/s2-025.html) only mentions Struts 2. Anyone > know if the vulnerability also exists in Struts 1 in some form? I realize > Struts 1.x are no longer supported and that is why the bulletin doesn't > cover those releases. I grabbed the 1.3.10 code and searched for the > devMode property (that property appears to be involved in the > vulnerability) and did not find any refs. Searching for that property in > 2.x yields lots of references and leads me to believe the devMode > functionality was added in Struts 2. If so, then that is good but not > conclusive evidence the vulnerability is not in Struts 1. I'd appreciate > hearing any info others have on CVE-2015-5169 and Struts 1. > > -Dave- > > -- e: davelnew...@gmail.com m: 908-380-8699 s: davelnewton_skype t: @dave_newton <https://twitter.com/dave_newton> b: Bucky Bits <http://buckybits.blogspot.com/> g: davelnewton <https://github.com/davelnewton> so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>
