Hi Sebastian,

To be honest I have no idea why this triggers any alert. The
vulnerability targets Tiles 2.0 [1] while Struts (even before merging the
codebase) is using Tiles 3 which shouldn't be affected. This could be an
issue of false positive alert in OWASP. Also the vulnerability report looks
suspicious as it mentions of manipulating the session
attribute DefaultLocaleResolver.LOCALE_KEY by a user - based on the
tiles-test example [2] I can say it's a developer fault not a library
vulnerability, report is invalid IMO.

We can move this discussion to security@struts.a.o to get support from ASF
Security gurus.

[1] https://lists.apache.org/thread/8ktm4vxr6vvc1qsxh6ft8jzmom1zl65p
[2]
https://github.com/apache/tiles/blob/TILES_2_1_X/tiles-test/src/main/java/org/apache/tiles/test/servlet/SelectLocaleServlet.java#L81-L102


Cheers
Łukasz

śr., 10 sty 2024 o 11:08 Sebastian Götz <s.go...@inform-technology.de>
napisał(a):

> Hi Lukasz,
>
> happy new year to you and everyone as well!
>
> Unfortunately I had some trouble with the mailing list and thus did not
> receive your reply. I have found it browsing the group by browser and so I
> post your reply here for reference:
>
> Happy New Year!
> The Tiles codebase has been copied into the Struts Tiles plugin [1] and
> it's a part of the Struts 6.3.0 right now. Migrating to this version should
> solve the problem. And we (Struts) are going to maintain the Tiles codebase
> under the plugin, so no worries :) [1]
> https://issues.apache.org/jira/browse/WW-5233 Cheers Łukasz
>
> I am very glad to hear that we do not have to move away from Tiles as it
> is a core of our product. We are running the OWASP dependency checker
> during the build. As we are on Struts 6.3.0.2 already, which shoul dbe the
> most recent version, I am not quite clear what to do now as the checker
> still marks struts-tiles-plugin.jar as vulnerable:
>
> Dependency-Check Failure:
> One or more dependencies were identified with vulnerabilities that have a 
> CVSS score greater than or equal to '7,0':
> struts2-tiles-plugin.jar: CVE-2023-49735
>
> So my question is: can we treat this as a false positive or is the
> vulnerability still there and we need to wait for fix version?
>
> Kind regards
>
> Sebastian
>
>
> Am 02.01.2024 um 09:57 schrieb Sebastian Götz:
>
> Hello to anybody and an happy new year!
>
> Our dependency check startet to fail last year already marking
> struts2-tiles-plugin as the source of a security issue. As the plugin uses
> Apache Tiles 3.0.8 underneath it is affected by CVE-2023-49735.
> Now as we use the struts-tiles-plugin to build our web pages and the Tiles
> project is already retired, can somebody of the team explain how to
> mitigate the security issue (besides moving away from Tiles completely)?
>
> Kind regards
>
> Sebastian
>
>
>
>
> --
>
> Mit freundlichen Grüßen
> iNFORM Technology GmbH
>
> Sebastian Götz
>
> *****************************************************
>
> iNFORM Technology GmbH
> Berliner Straße 24
> 72458 Albstadt-Ebingen
>
> Tel: +49 7431 9816090
> s.go...@inform-technology.de
> http://www.inform-technology.de/
>
> *****************************************************
>
> <https://www.facebook.com/informTechnologyGmbH/>
>
> Geschäftsführer: Christian Wanner | Handelsregister: HRB 773712,
> Amtsgericht Stuttgart | USt-ID Nr.: DE312290945
>
> Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
> Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
> irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
> vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
> Weitergabe dieser Mail ist nicht gestattet.
>
> This e-mail may contain confidential and/or privileged information. If you
> are not the intended recipient (or have received this e-mail in error)
> please notify the sender immediately and destroy this e-mail. Any
> unauthorised copying, disclosure or distribution of the material in this
> e-mail is strictly forbidden.
>

Reply via email to