Hi,
On 29.11.21 02:00, Warren Bates wrote:
Hi Dev Community –
Hoping someone maybe able to provide some information around use of struts when
invoking Maven Versions Set plugin.
e.g., command:
mvn -DnewVersion=1.0.5 versions:set .
We found that it retrieves the dependency struts-core-1.3.8.jar into our local
repo.
The reason for highlighting is that our security team have done an audit and
detected the above jar file. Initially highlighting to us the vulnerabilities
below:
https://www.cvedetails.com/version/524231/Apache-Struts-1.3.8.html
https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-6117/version_id-524231/Apache-Struts-1.3.8.html
We would like to know if there are any security concerns with the 1.3.8 version
of struts jar in relation to this particular use case (Maven Versions Set
plugin)?
This would help us in terms of documenting a security exemption around use of
this particular version of the struts jar.
This is a dependency of the plugin which is used for some reporting
parts which are not called in your case.
The plugin is called: "versions-maven-plugin" which is located
https://github.com/mojohaus/versions-maven-plugin
Kind regards
Karl Heinz Marbaise
Cheers
Warren.
Important Notice: The contents of this email are intended solely for the named
addressee and are confidential; any unauthorised use, reproduction or storage
of the contents is expressly prohibited. If you have received this email in
error, please delete it and any attachments immediately and advise the sender
by return email or telephone.
Deakin University does not warrant that this email and any attachments are
error or virus free.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org
