Hi Sebastian, To be honest I have no idea why this triggers any alert. The vulnerability targets Tiles 2.0 [1] while Struts (even before merging the codebase) is using Tiles 3 which shouldn't be affected. This could be an issue of false positive alert in OWASP. Also the vulnerability report looks suspicious as it mentions of manipulating the session attribute DefaultLocaleResolver.LOCALE_KEY by a user - based on the tiles-test example [2] I can say it's a developer fault not a library vulnerability, report is invalid IMO.
We can move this discussion to security@struts.a.o to get support from ASF Security gurus. [1] https://lists.apache.org/thread/8ktm4vxr6vvc1qsxh6ft8jzmom1zl65p [2] https://github.com/apache/tiles/blob/TILES_2_1_X/tiles-test/src/main/java/org/apache/tiles/test/servlet/SelectLocaleServlet.java#L81-L102 Cheers Łukasz śr., 10 sty 2024 o 11:08 Sebastian Götz <s.go...@inform-technology.de> napisał(a): > Hi Lukasz, > > happy new year to you and everyone as well! > > Unfortunately I had some trouble with the mailing list and thus did not > receive your reply. I have found it browsing the group by browser and so I > post your reply here for reference: > > Happy New Year! > The Tiles codebase has been copied into the Struts Tiles plugin [1] and > it's a part of the Struts 6.3.0 right now. Migrating to this version should > solve the problem. And we (Struts) are going to maintain the Tiles codebase > under the plugin, so no worries :) [1] > https://issues.apache.org/jira/browse/WW-5233 Cheers Łukasz > > I am very glad to hear that we do not have to move away from Tiles as it > is a core of our product. We are running the OWASP dependency checker > during the build. As we are on Struts 6.3.0.2 already, which shoul dbe the > most recent version, I am not quite clear what to do now as the checker > still marks struts-tiles-plugin.jar as vulnerable: > > Dependency-Check Failure: > One or more dependencies were identified with vulnerabilities that have a > CVSS score greater than or equal to '7,0': > struts2-tiles-plugin.jar: CVE-2023-49735 > > So my question is: can we treat this as a false positive or is the > vulnerability still there and we need to wait for fix version? > > Kind regards > > Sebastian > > > Am 02.01.2024 um 09:57 schrieb Sebastian Götz: > > Hello to anybody and an happy new year! > > Our dependency check startet to fail last year already marking > struts2-tiles-plugin as the source of a security issue. As the plugin uses > Apache Tiles 3.0.8 underneath it is affected by CVE-2023-49735. > Now as we use the struts-tiles-plugin to build our web pages and the Tiles > project is already retired, can somebody of the team explain how to > mitigate the security issue (besides moving away from Tiles completely)? > > Kind regards > > Sebastian > > > > > -- > > Mit freundlichen Grüßen > iNFORM Technology GmbH > > Sebastian Götz > > ***************************************************** > > iNFORM Technology GmbH > Berliner Straße 24 > 72458 Albstadt-Ebingen > > Tel: +49 7431 9816090 > s.go...@inform-technology.de > http://www.inform-technology.de/ > > ***************************************************** > > <https://www.facebook.com/informTechnologyGmbH/> > > Geschäftsführer: Christian Wanner | Handelsregister: HRB 773712, > Amtsgericht Stuttgart | USt-ID Nr.: DE312290945 > > Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte > Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail > irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und > vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte > Weitergabe dieser Mail ist nicht gestattet. > > This e-mail may contain confidential and/or privileged information. If you > are not the intended recipient (or have received this e-mail in error) > please notify the sender immediately and destroy this e-mail. Any > unauthorised copying, disclosure or distribution of the material in this > e-mail is strictly forbidden. >