2017-12-08 19:11 GMT+01:00 <info...@unixcert.net>: > It looks like the Jackson-databind issue is only associated with 2.5.X > versions of Struts. I just want to confirm that 2.3.X versions are not.
Struts 2.3.x series is using a different version of the Jackson library [1] and we have no knowledge if that version is vulnerable as well. Also, 2.3.x series is using json-lib as a default JSON handler implementation which means it's impacted by [2] [1] https://github.com/apache/struts/blob/support-2-3/plugins/rest/pom.xml#L52 [2] https://cwiki.apache.org/confluence/display/WW/S2-054 Regards -- Ćukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org