[
https://issues.apache.org/jira/browse/EMPIREDB-375?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17494804#comment-17494804
]
PJ Fanning commented on EMPIREDB-375:
-------------------------------------
Thanks [~doebele] - just seems safest to no longer ship the struts components,
given all the attention ASF are getting around the security of OSS software
> upgrade struts version
> ----------------------
>
> Key: EMPIREDB-375
> URL: https://issues.apache.org/jira/browse/EMPIREDB-375
> Project: Empire-DB
> Issue Type: Improvement
> Affects Versions: empire-db-2.5.2
> Reporter: PJ Fanning
> Assignee: Rainer Döbele
> Priority: Major
>
> [https://github.com/apache/empire-db/pull/8]
> also v2.2.1 in
> [https://github.com/apache/empire-db/blob/version2-legacy/pom.xml]
> master branch no longer seems to have struts at all but is version 2 is still
> being released - see
> [https://lists.apache.org/thread/3fh7djnh62o24xzvbhcqwbnsc5nd8mkx]
> struts v2.2.1 is from 2010 and has 4 CVEs open against it -
> [https://mvnrepository.com/artifact/org.apache.struts/struts2-core]
> One of the struts CVEs is the one that led to the Equifax hack -
> [https://www.synopsys.com/blogs/software-security/apache-struts-remote-code-execution-vulnerabilities/#:~:text=Apache%20published%20details%20of%20CVE,day%20Equifax%20announced%20the%20breach.&text=According%20to%20an%20Equifax%20statement,the%20attacker%20from%20mid%2DMay].
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
