-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Anu,
On 4/28/16 6:34 PM, Anu Krishna Rajamohan wrote: > As Apache Struts 1.x is pretty old and it suffers from many > security vulnerabilities, I decided to use a recent version of > Apache Struts 2.x (Struts 2.3.24.1). However, I find that > struts-core-1.3.10 jar is present in struts 2.x. Can you please let > me know if the presence of this jar makes Struts 2.x vulnerable to > security issues such as CVE-2012-1007 > <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1007>. It's worth pointing out that CVE-2012-1007 specifically is an XSS vulnerability in the Struts example web application. There is really no need to ever deploy that application anywhere but a dev server playground. The presence of the JAR does not deploy this examples web application, so you won't be vulnerable to CVE-2012-1007 unless you really try hard to expose yourself. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJXMgFhAAoJEBzwKT+lPKRYrp4P/i/DZpt5A8XQJbu3hPQrgcPJ bxCWuFTAgIP/02p7Buqq4om2eHFIZf3OUsXv/xaUseW31ffPwelM5XeOdCLZnbfW /V/56FZg4/EKVZXpeFjX+0yRrr+qLI1XSkXd68Y1fQ/ryEEED70qtyiL8sIYgYrx FG/cytCRaweqZuzToBqEbNG52R4/iRpPr9sybEhFjPZtqHUixuVXd4Ab4/CtPnca U2OacetX5+YzAGkR3wDImQr6iB5qaBJG5z9GX7DuhVOV5Tgla6CF/Cks5SUSfDk1 N9grhaz0h6y3J4YVss1BjUU+66MuyGMy2lHMJUBy30CROqXKZBRUkTlE9g/5OQUT D1H5dZauQ3lu1pfAvd+vE4TLHXzW85KbyfeXYsp/tv17N9cWhstdmNnr/o68IErQ WPkUxlcK3woS2ku9jbYnY2ioIZSTlrllzzBEz92EBTqyERnN0c2TqE2dzYlexDdN 9JemuDJjgKa1DDzNXP9UGcOp5d5vGP3Z7kDmIwtW+o+UqLl0imnLJlTQvN/6yE+I W/Mxr/U52f5Vj7diBoLihGqeUkb13I0yy0FHm2kIOnpvnZTTSa17hHqF6JvD8U8b MQ1qDVWOAn6z+lmEnWYN0ifKwECzzEfLYV532lPS2AZpz6UPlckU/S0sEyXAKo5Z Lsfw4B5VHt9O0CnFEnPv =D7AM -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
