Hi Lukasz,
happy new year to you and everyone as well!
Unfortunately I had some trouble with the mailing list and thus did not
receive your reply. I have found it browsing the group by browser and so
I post your reply here for reference:
Happy New Year!
The Tiles codebase has been copied into the Struts Tiles plugin [1] and
it's a part of the Struts 6.3.0 right now. Migrating to this version
should solve the problem. And we (Struts) are going to maintain the
Tiles codebase under the plugin, so no worries :) [1]
https://issues.apache.org/jira/browse/WW-5233 Cheers Łukasz
I am very glad to hear that we do not have to move away from Tiles as it
is a core of our product. We are running the OWASP dependency checker
during the build. As we are on Struts 6.3.0.2 already, which shoul dbe
the most recent version, I am not quite clear what to do now as the
checker still marks struts-tiles-plugin.jar as vulnerable:
Dependency-Check Failure: One or more dependencies were identified with
vulnerabilities that have a CVSS score greater than or equal to '7,0':
struts2-tiles-plugin.jar: CVE-2023-49735
So my question is: can we treat this as a false positive or is the
vulnerability still there and we need to wait for fix version?
Kind regards
Sebastian
Am 02.01.2024 um 09:57 schrieb Sebastian Götz:
Hello to anybody and an happy new year!
Our dependency check startet to fail last year already marking
struts2-tiles-plugin as the source of a security issue. As the plugin
uses Apache Tiles 3.0.8 underneath it is affected by CVE-2023-49735.
Now as we use the struts-tiles-plugin to build our web pages and the
Tiles project is already retired, can somebody of the team explain how
to mitigate the security issue (besides moving away from Tiles
completely)?
Kind regards
Sebastian
--
Mit freundlichen Grüßen
iNFORM Technology GmbH
Sebastian Götz
*****************************************************
iNFORM Technology GmbH
Berliner Straße 24
72458 Albstadt-Ebingen
Tel: +49 7431 9816090
s.go...@inform-technology.de
http://www.inform-technology.de/
*****************************************************
<https://www.facebook.com/informTechnologyGmbH/>
Geschäftsführer: Christian Wanner | Handelsregister: HRB 773712,
Amtsgericht Stuttgart | USt-ID Nr.: DE312290945
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese
E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den
Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie
die unbefugte Weitergabe dieser Mail ist nicht gestattet.
This e-mail may contain confidential and/or privileged information. If
you are not the intended recipient (or have received this e-mail in
error) please notify the sender immediately and destroy this e-mail. Any
unauthorised copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.