Skip to content

[GHSA-43mq-6xmg-29vm] Apache Struts file upload logic is flawed#5399

Merged
advisory-database[bot] merged 1 commit intogithub:chximn-dt/advisory-improvement-5399from
chximn-dt:chximn-dt-GHSA-43mq-6xmg-29vm
Mar 28, 2025
Merged

[GHSA-43mq-6xmg-29vm] Apache Struts file upload logic is flawed#5399
advisory-database[bot] merged 1 commit intogithub:chximn-dt/advisory-improvement-5399from
chximn-dt:chximn-dt-GHSA-43mq-6xmg-29vm

Conversation

@chximn-dt
Copy link

@chximn-dt chximn-dt commented Mar 25, 2025

Updates

  • Description
  • Affected products
  • References
  • CWEs

Comments

  • The vulnerable class was marked as deprecated in version 6.4.0 but was only removed in version 7.0.0. Therefore, applications using versions >=6.4.0, < 7.0.0 are still vulnerable

@github-actions github-actions bot changed the base branch from main to chximn-dt/advisory-improvement-5399 March 25, 2025 12:47
@chximn-dt chximn-dt changed the title Improve GHSA-43mq-6xmg-29vm [GHSA-43mq-6xmg-29vm] Apache Struts file upload logic is flawed Mar 25, 2025
@advisory-database advisory-database bot merged commit aa7b0e8 into github:chximn-dt/advisory-improvement-5399 Mar 28, 2025
2 checks passed
@advisory-database
Copy link
Contributor

advisory-database bot commented Mar 28, 2025

Hi @chximn-dt! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@chximn-dt
Copy link
Author

chximn-dt commented Apr 2, 2025

Hi,

I noticed that the PR has been merged and the advisory's modified date has been updated in a47e619.
However, it seems that the changes proposed in the PR have not been applied.

Any insights into what might have happened?

@chximn-dt
Copy link
Author

chximn-dt commented Apr 9, 2025

Hi @shelbyc, do you have any insights into this?

@shelbyc
Copy link
Contributor

shelbyc commented Apr 9, 2025

Hi @chximn-dt, thank you for pinging me! The PR was merged erroneously before I had a chance to review the changes.

I agree with your suggestion to add apache/struts@1ecfbae, apache/struts@3ef9ade, and https://www.dynatrace.com/news/blog/the-anatomy-of-broken-apache-struts-2-a-technical-deep-dive-into-cve-2024-53677/ to the references, as well as the decision to add CWE-915. Those changes have been incorporated into the advisory, and your credit is still in the advisory.

With respect to changing the patched version from 6.4.0 to 7.0.0, I don't think I agree with the idea that the issue is only fully mitigated with the complete removal of FileUploadInterceptor in 7.0.0. If a project that depends on Struts has gone through the effort of replacing FileUploadInterceptor with ActionFileUploadInterceptor, that should be enough to mitigate the problem. Is it worth issuing more alerts to users who may not need them?

@chximn-dt
Copy link
Author

chximn-dt commented Apr 10, 2025

Hi @shelbyc, thanks for the prompt reply.

I agree with the idea that the issue is not only fully mitigated by the complete removal of FileUploadInterceptor in version 7.0.0. If projects using versions 6.4.0 to before 7.0.0 have replaced FileUploadInterceptor with ActionFileUploadInterceptor, the problem should be sufficiently mitigated.

However, projects using these versions that haven't been updated to use ActionFileUploadInterceptor won't receive any alerts, potentially leading to a false sense of security (false negatives).

A version should be considered as vulnerable even if there is a workaround available.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chximn-dt @shelbyc