Hi Dev Community – Hoping someone maybe able to provide some information around use of struts when invoking Maven Versions Set plugin.
e.g., command: mvn -DnewVersion=1.0.5 versions:set . We found that it retrieves the dependency struts-core-1.3.8.jar into our local repo. The reason for highlighting is that our security team have done an audit and detected the above jar file. Initially highlighting to us the vulnerabilities below: https://www.cvedetails.com/version/524231/Apache-Struts-1.3.8.html https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-6117/version_id-524231/Apache-Struts-1.3.8.html We would like to know if there are any security concerns with the 1.3.8 version of struts jar in relation to this particular use case (Maven Versions Set plugin)? This would help us in terms of documenting a security exemption around use of this particular version of the struts jar. Cheers Warren. Important Notice: The contents of this email are intended solely for the named addressee and are confidential; any unauthorised use, reproduction or storage of the contents is expressly prohibited. If you have received this email in error, please delete it and any attachments immediately and advise the sender by return email or telephone. Deakin University does not warrant that this email and any attachments are error or virus free.
