struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Gawron" <>
Subject Re: Is the vulnerability documented in CVE-2015-5169 also applicable to Struts 1?
Date Fri, 04 Sep 2015 16:51:27 GMT

Thanks for the quick reply.  It looked like Struts 2 was a rewrite so I 
assumed it was very unlikely that the same vulnerability existed in Struts 
1, but I needed to ask.


From:   Dave Newton <>
To:     Struts Users Mailing List <>
Date:   09/03/2015 05:01 PM
Subject:        Re: Is the vulnerability documented in CVE-2015-5169 also 
applicable to Struts 1?

There's no such thing as `devMode` in Struts 1.

Struts 1 vulnerabilities would be in Struts 1 announcements, although with
the EOL, announcements and fixes may never happen.

Struts 1 and Struts 2 have essentially zero in common.


On Thu, Sep 3, 2015 at 4:41 PM, David Gawron <> wrote:

> The security bulletin for CVE-2015-5169 (
> only mentions Struts 2. 
> know if the vulnerability also exists in Struts 1 in some form?  I 
> Struts 1.x are no longer supported and that is why the bulletin doesn't
> cover those releases.  I grabbed the 1.3.10 code and searched for the
> devMode property (that property appears to be involved in the
> vulnerability) and did not find any refs.  Searching for that property 
> 2.x yields lots of references and leads me to believe the devMode
> functionality was added in Struts 2.  If so, then that is good but not
> conclusive evidence the vulnerability is not in Struts 1.  I'd 
> hearing  any info others have on CVE-2015-5169 and Struts 1.
> -Dave-

m: 908-380-8699
s: davelnewton_skype
t: @dave_newton <>
b: Bucky Bits <>
g: davelnewton <>
so: Dave Newton <>

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message