Struts Jar and Use of Maven Versions Set Plugin.

[Warren Bates <wa...@deakin.edu.au.INVALID>]

Hi Dev Community –

Hoping someone maybe able to provide some information around use of struts when invoking Maven Versions Set plugin.

e.g., command:
mvn -DnewVersion=1.0.5 versions:set .

We found that it retrieves the dependency struts-core-1.3.8.jar into our local repo.

The reason for highlighting is that our security team have done an audit and detected the above jar file. Initially highlighting to us the vulnerabilities below:
https://www.cvedetails.com/version/524231/Apache-Struts-1.3.8.html
https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-6117/version_id-524231/Apache-Struts-1.3.8.html

We would like to know if there are any security concerns with the 1.3.8 version of struts jar in relation to this particular use case (Maven Versions Set plugin)?

This would help us in terms of documenting a security exemption around use of this particular version of the struts jar.

Cheers

Warren.




Important Notice: The contents of this email are intended solely for the named addressee and are confidential; any unauthorised use, reproduction or storage of the contents is expressly prohibited. If you have received this email in error, please delete it and any attachments immediately and advise the sender by return email or telephone.

Deakin University does not warrant that this email and any attachments are error or virus free.

Re: Struts Jar and Use of Maven Versions Set Plugin.

[Karl Heinz Marbaise <kh...@gmx.de>]

Hi,

On 29.11.21 02:00, Warren Bates wrote:
> Hi Dev Community –
>
> Hoping someone maybe able to provide some information around use of struts when invoking Maven Versions Set plugin.
>
> e.g., command:
> mvn -DnewVersion=1.0.5 versions:set .
>
> We found that it retrieves the dependency struts-core-1.3.8.jar into our local repo.
>
> The reason for highlighting is that our security team have done an audit and detected the above jar file. Initially highlighting to us the vulnerabilities below:
> https://www.cvedetails.com/version/524231/Apache-Struts-1.3.8.html
> https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-6117/version_id-524231/Apache-Struts-1.3.8.html
>
> We would like to know if there are any security concerns with the 1.3.8 version of struts jar in relation to this particular use case (Maven Versions Set plugin)?
>
> This would help us in terms of documenting a security exemption around use of this particular version of the struts jar.

This is a dependency of the plugin which is used for some reporting
parts which are not called in your case.

The plugin is called: "versions-maven-plugin" which is located
https://github.com/mojohaus/versions-maven-plugin

Kind regards
Karl Heinz Marbaise
>
> Cheers
>
> Warren.
>
>
>
>
> Important Notice: The contents of this email are intended solely for the named addressee and are confidential; any unauthorised use, reproduction or storage of the contents is expressly prohibited. If you have received this email in error, please delete it and any attachments immediately and advise the sender by return email or telephone.
>
> Deakin University does not warrant that this email and any attachments are error or virus free.
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
For additional commands, e-mail: dev-help@community.apache.org

Re: Struts Jar and Use of Maven Versions Set Plugin.

[Bertrand Delacretaz <bd...@apache.org>]

Hi,

On Mon, Nov 29, 2021 at 9:22 AM Warren Bates
<wa...@deakin.edu.au.invalid> wrote:
> ...We would like to know if there are any security concerns with the 1.3.8 version of struts jar
> in relation to this particular use case (Maven Versions Set plugin)?..

That's a question for the Struts project, http://struts.apache.org/mail.html

This list is for general community management questions, as opposed to
project-specific technical ones.

-Bertrand

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
For additional commands, e-mail: dev-help@community.apache.org