Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Struts version number changes #2423

Merged
merged 1 commit into from Aug 12, 2019
Merged
Changes from all commits
Commits
File filter...
Filter file types
Jump to…
Jump to file or symbol
Failed to load files and symbols.

Always

Just for now

@@ -34,7 +34,7 @@
"description_data": [
{
"lang": "eng",
"value": "Apache Struts 2.3.1.1 and earlier provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware interfaces. NOTE: the vendor disputes the significance of this report because of an \"easy work-around in existing apps by configuring the interceptor.\""
"value": "Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware interfaces. NOTE: the vendor disputes the significance of this report because of an \"easy work-around in existing apps by configuring the interceptor.\""
}
]
},
@@ -74,4 +74,4 @@
}
]
}
}
}
@@ -34,7 +34,7 @@
"description_data": [
{
"lang": "eng",
"value": "Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.1, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect."
"value": "Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect."
}
]
},
@@ -69,4 +69,4 @@
}
]
}
}
}
@@ -34,7 +34,7 @@
"description_data": [
{
"lang": "eng",
"value": "Apache Struts 2 before 2.3.14.1 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag."
"value": "Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag."
}
]
},
@@ -74,4 +74,4 @@
}
]
}
}
}
@@ -34,7 +34,7 @@
"description_data": [
{
"lang": "eng",
"value": "The ParametersInterceptor in Apache Struts before 2.3.16.1 allows remote attackers to \"manipulate\" the ClassLoader via the class parameter, which is passed to the getClass method."
"value": "The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to \"manipulate\" the ClassLoader via the class parameter, which is passed to the getClass method."
}
]
},
@@ -129,4 +129,4 @@
}
]
}
}
}
@@ -34,7 +34,7 @@
"description_data": [
{
"lang": "eng",
"value": "ParametersInterceptor in Apache Struts before 2.3.16.2 does not properly restrict access to the getClass method, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094."
"value": "ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094."
}
]
},
@@ -124,4 +124,4 @@
}
]
}
}
}
@@ -34,7 +34,7 @@
"description_data": [
{
"lang": "eng",
"value": "CookieInterceptor in Apache Struts before 2.3.16.2, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094."
"value": "CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094."
}
]
},
@@ -79,4 +79,4 @@
}
]
}
}
}
@@ -34,7 +34,7 @@
"description_data": [
{
"lang": "eng",
"value": "CookieInterceptor in Apache Struts 2.x before 2.3.16.3, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to \"manipulate\" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113."
"value": "CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to \"manipulate\" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113."
}
]
},
@@ -79,4 +79,4 @@
}
]
}
}
}
@@ -34,7 +34,7 @@
"description_data": [
{
"lang": "eng",
"value": "Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions."
"value": "Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions."
}
]
},
@@ -109,4 +109,4 @@
}
]
}
}
}
@@ -34,7 +34,7 @@
"description_data": [
{
"lang": "eng",
"value": "Apache Struts 2.3.20.x before 2.3.20.3, 2.3.24.x before 2.3.24.3, and 2.3.28.x before 2.3.28.1, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin."
"value": "Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin."
}
]
},
@@ -79,4 +79,4 @@
}
]
}
}
}
@@ -34,7 +34,7 @@
"description_data": [
{
"lang": "eng",
"value": "The REST plugin in Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression."
"value": "The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression."
}
]
},
@@ -84,4 +84,4 @@
}
]
}
}
}
@@ -16,7 +16,10 @@
"version": {
"version_data": [
{
"version_value": "2.3.20 - 2.3.30"
"version_value": "2.3.x before 2.3.31"
},
{
"version_value": "2.5.x before 2.5.5"
}
]
}
@@ -35,7 +38,7 @@
"description_data": [
{
"lang": "eng",
"value": "In the Convention plugin in Apache Struts 2.3.20 through 2.3.30, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side."
"value": "In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side."
}
]
},
@@ -70,4 +73,4 @@
}
]
}
}
}
@@ -16,10 +16,10 @@
"version": {
"version_data": [
{
"version_value": "2.0.1 - 2.3.33"
"version_value": "2.0.0 - 2.3.33"
},
{
"version_value": "2.5 - 2.5.10"
"version_value": "2.5 - 2.5.10.1"
}
]
}
@@ -38,7 +38,7 @@
"description_data": [
{
"lang": "eng",
"value": "In Apache Struts 2.0.1 through 2.3.33 and 2.5 through 2.5.10, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack."
"value": "In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack."
}
]
},
@@ -83,4 +83,4 @@
}
]
}
}
}
@@ -15,6 +15,9 @@
"product_name": "Apache Struts",
"version": {
"version_data": [
{
"version_value": "2.1.x series"
},
{
"version_value": "2.3.x series"
}
@@ -35,7 +38,7 @@
"description_data": [
{
"lang": "eng",
"value": "The Struts 1 plugin in Apache Struts 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage."
"value": "The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage."
}
]
},
@@ -90,4 +93,4 @@
}
]
}
}
}
@@ -20,6 +20,9 @@
},
{
"version_value": "2.5 - 2.5.12"
},
{
"version_value": "2.1.x series"
}
]
}
@@ -38,7 +41,7 @@
"description_data": [
{
"lang": "eng",
"value": "The REST Plugin in Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload."
"value": "The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload."
}
]
},
@@ -93,4 +96,4 @@
}
]
}
}
}
@@ -34,7 +34,7 @@
"description_data": [
{
"lang": "eng",
"value": "The REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads."
"value": "The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads."
}
]
},
@@ -114,4 +114,4 @@
}
]
}
}
}
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.