You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Rayne Anderson <ra...@us.ibm.com> on 2020/08/21 09:30:27 UTC
CVE-2019-0233 is Struts v1 vulnerable?
I know that Apache Struts File upload CVE-2019-0233 applies to Struts v2.
Does the CVE apply to Struts v1.3.8?
If no one knows the answer I can find no explicit details of how to test
for the vulnerability or what the code changes where made in Struts 2. How
do I obtain this information?
I have tried googling, searching GitHub issues, etc.
Regards, Rayne
IBM Watson Financial Services
10925 David Taylor Drive
Charlotte, NC 28262-1040, US
MG82/202
(704) 501-0331
RE: CVE-2019-0233 is Struts v1 vulnerable?
Posted by Rayne Anderson <ra...@us.ibm.com>.
Thanks everyone for the quick responses.
Regards, Rayne
IBM Watson Financial Services
10925 David Taylor Drive
Charlotte, NC 28262-1040, US
MG82/202
(704) 501-0331
From: Dave Newton <da...@gmail.com>
To: Struts Users Mailing List <us...@struts.apache.org>
Date: 08/21/2020 04:30 PM
Subject: [EXTERNAL] Re: CVE-2019-0233 is Struts v1 vulnerable?
You’d need to create a variation of one of the PoCs, you can likely search
around for one. That said—I don’t see how S1 could be vulnerable since
it’s
a completely different mechanism. In general, no S2 vulnerabilities will
apply to S1 *ever* unless it’s explicitly related to a dependent
library—there’s no real relationship between S1 and S2.
On Fri, Aug 21, 2020 at 15:39 Rayne Anderson <ra...@us.ibm.com> wrote:
> You are probably correct on due to the different frameworks. If I do
need
>
> to test Struts v1 where do I obtain the test instructions from? I could
>
> not find them when searching earlier.
>
>
>
> Regards, Rayne
>
>
>
> IBM Watson Financial Services
>
> 10925 David Taylor Drive
>
> Charlotte, NC 28262-1040, US
>
> MG82/202
>
> (704) 501-0331
>
>
>
>
>
>
>
>
>
> From: Lukasz Lenart <lu...@apache.org>
>
> To: Struts Users Mailing List <us...@struts.apache.org>
>
> Date: 08/21/2020 05:57 AM
>
> Subject: [EXTERNAL] Re: CVE-2019-0233 is Struts v1 vulnerable?
>
>
>
>
>
>
>
> pt., 21 sie 2020 o 11:30 Rayne Anderson <ra...@us.ibm.com> napisał(a):
>
> >
>
> > I know that Apache Struts File upload CVE-2019-0233 applies to Struts
>
> v2.
>
> > Does the CVE apply to Struts v1.3.8?
>
>
>
> I would say no as these are totally different frameworks but we didn't
>
> test Struts 1.3.8 against this vulnerability as Struts 1 has reached
>
> End-of-Life a few years ago.
>
>
>
>
>
> Regards
>
> --
>
> Łukasz
>
> + 48 606 323 122
>
>
http://www.lenart.org.pl/
>
>
>
>
>
> ---------------------------------------------------------------------
>
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>
>
>
>
>
>
>
>
>
> --
em: davelnewton@gmail.com
mo: 908-380-8699
tw: @dave_newton <
https://twitter.com/dave_newton
>
li: dave-newton <
https://www.linkedin.com/in/dave-newton/
>
gh: davelnewton <
https://github.com/davelnewton
>
so: Dave Newton <
http://stackoverflow.com/users/438992/dave-newton
>
bl[0]: Bucky Bits <
http://buckybits.blogspot.com/
>
bl[1]: Maker's End Blog <
https://blog.makersend.com
>
sk: davelnewton_skype
Re: CVE-2019-0233 is Struts v1 vulnerable?
Posted by Dave Newton <da...@gmail.com>.
You’d need to create a variation of one of the PoCs, you can likely search
around for one. That said—I don’t see how S1 could be vulnerable since it’s
a completely different mechanism. In general, no S2 vulnerabilities will
apply to S1 *ever* unless it’s explicitly related to a dependent
library—there’s no real relationship between S1 and S2.
On Fri, Aug 21, 2020 at 15:39 Rayne Anderson <ra...@us.ibm.com> wrote:
> You are probably correct on due to the different frameworks. If I do need
>
> to test Struts v1 where do I obtain the test instructions from? I could
>
> not find them when searching earlier.
>
>
>
> Regards, Rayne
>
>
>
> IBM Watson Financial Services
>
> 10925 David Taylor Drive
>
> Charlotte, NC 28262-1040, US
>
> MG82/202
>
> (704) 501-0331
>
>
>
>
>
>
>
>
>
> From: Lukasz Lenart <lu...@apache.org>
>
> To: Struts Users Mailing List <us...@struts.apache.org>
>
> Date: 08/21/2020 05:57 AM
>
> Subject: [EXTERNAL] Re: CVE-2019-0233 is Struts v1 vulnerable?
>
>
>
>
>
>
>
> pt., 21 sie 2020 o 11:30 Rayne Anderson <ra...@us.ibm.com> napisał(a):
>
> >
>
> > I know that Apache Struts File upload CVE-2019-0233 applies to Struts
>
> v2.
>
> > Does the CVE apply to Struts v1.3.8?
>
>
>
> I would say no as these are totally different frameworks but we didn't
>
> test Struts 1.3.8 against this vulnerability as Struts 1 has reached
>
> End-of-Life a few years ago.
>
>
>
>
>
> Regards
>
> --
>
> Łukasz
>
> + 48 606 323 122
>
> http://www.lenart.org.pl/
>
>
>
>
>
> ---------------------------------------------------------------------
>
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>
>
>
>
>
>
>
>
>
> --
em: davelnewton@gmail.com
mo: 908-380-8699
tw: @dave_newton <https://twitter.com/dave_newton>
li: dave-newton <https://www.linkedin.com/in/dave-newton/>
gh: davelnewton <https://github.com/davelnewton>
so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>
bl[0]: Bucky Bits <http://buckybits.blogspot.com/>
bl[1]: Maker's End Blog <https://blog.makersend.com>
sk: davelnewton_skype
RE: CVE-2019-0233 is Struts v1 vulnerable?
Posted by Rayne Anderson <ra...@us.ibm.com>.
You are probably correct on due to the different frameworks. If I do need
to test Struts v1 where do I obtain the test instructions from? I could
not find them when searching earlier.
Regards, Rayne
IBM Watson Financial Services
10925 David Taylor Drive
Charlotte, NC 28262-1040, US
MG82/202
(704) 501-0331
From: Lukasz Lenart <lu...@apache.org>
To: Struts Users Mailing List <us...@struts.apache.org>
Date: 08/21/2020 05:57 AM
Subject: [EXTERNAL] Re: CVE-2019-0233 is Struts v1 vulnerable?
pt., 21 sie 2020 o 11:30 Rayne Anderson <ra...@us.ibm.com> napisał(a):
>
> I know that Apache Struts File upload CVE-2019-0233 applies to Struts
v2.
> Does the CVE apply to Struts v1.3.8?
I would say no as these are totally different frameworks but we didn't
test Struts 1.3.8 against this vulnerability as Struts 1 has reached
End-of-Life a few years ago.
Regards
--
Łukasz
+ 48 606 323 122
http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: CVE-2019-0233 is Struts v1 vulnerable?
Posted by Lukasz Lenart <lu...@apache.org>.
pt., 21 sie 2020 o 11:30 Rayne Anderson <ra...@us.ibm.com> napisał(a):
>
> I know that Apache Struts File upload CVE-2019-0233 applies to Struts v2.
> Does the CVE apply to Struts v1.3.8?
I would say no as these are totally different frameworks but we didn't
test Struts 1.3.8 against this vulnerability as Struts 1 has reached
End-of-Life a few years ago.
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org