struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christoph Nenning <Christoph.Nenn...@lex-com.net>
Subject Re: Security Vulnerability for Struts 1.3.10 in Struts 2.x
Date Tue, 03 May 2016 08:43:45 GMT
> Hi,
> 
> As Apache Struts 1.x is pretty old and it suffers from many security
> vulnerabilities, I decided to use a recent version of Apache Struts 2.x
> (Struts 2.3.24.1). However, I find that struts-core-1.3.10 jar is 
present
> in struts 2.x. Can you please let me know if the presence of this jar 
makes
> Struts 2.x vulnerable to security issues such as CVE-2012-1007
> <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1007>.
> 
> Thanks and Best Regards,
> Anu


Do you use maven or some other tool to manage dependencies?
Or did you download one of the zip files?

Struts2 has many plugins which have their own dependencies. The zip files 
contain that all. But for most apps it is not necessary. It is highly 
recommended to use dependency management to make sure you really get just 
those jars that you need.



Regards,
Christoph

This Email was scanned by Sophos Anti Virus

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message