Hi Team, Version 2.3.35 is the official patch for this vulnerability. However v2.3.35 has a bunch of other fixes too.
So if we want the patch for only "CVE-2018-11776", what are the options available? Is the fix for "CVE-2018-11776" contained completely in DefaultActionMapper.java? Given that there was a backward compatibility issue seen with upgrade from 2.3.34 to 2.3.35 (ref: https://www.mail-archive.com/users@maven.apache.org/msg140838.html), we are checking to see if there is a way to have a patch that fixes only "CVE-2018-11776". Thanks Kiran
