struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Gawron" <dgaw...@us.ibm.com>
Subject Is the vulnerability documented in CVE-2015-5169 also applicable to Struts 1?
Date Thu, 03 Sep 2015 20:41:46 GMT
The security bulletin for CVE-2015-5169 (
https://struts.apache.org/docs/s2-025.html) only mentions Struts 2. Anyone 
know if the vulnerability also exists in Struts 1 in some form?  I realize 
Struts 1.x are no longer supported and that is why the bulletin doesn't 
cover those releases.  I grabbed the 1.3.10 code and searched for the 
devMode property (that property appears to be involved in the 
vulnerability) and did not find any refs.  Searching for that property in 
2.x yields lots of references and leads me to believe the devMode 
functionality was added in Struts 2.  If so, then that is good but not 
conclusive evidence the vulnerability is not in Struts 1.  I'd appreciate 
hearing  any info others have on CVE-2015-5169 and Struts 1.

-Dave-


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message