Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GHSA-prjv-jj26-wf8h] ClassLoader manipulation in Apache Struts #4239

Open
wants to merge 1 commit into
base: MarkLee131/advisory-improvement-4239
Choose a base branch
from
Open

[GHSA-prjv-jj26-wf8h] ClassLoader manipulation in Apache Struts #4239

wants to merge 1 commit into from

Conversation

MarkLee131
Copy link

Updates

  • Affected products
  • CWEs
  • References

Comments
Add a patch apache/struts@74e2683, of which the commit message claims Adds additional pattern to prevent access to getClass method. This shows its correlation with the root cause of this cve The Struts 2 ParametersInterceptor was updated to block access to the 'class' parameter, but not all forms in which this parameter can be specified were blocked as claimed by Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1091939.

@github-actions github-actions bot changed the base branch from main to MarkLee131/advisory-improvement-4239 April 12, 2024 05:56
@shelbyc
Copy link

shelbyc commented Apr 16, 2024

Hi @MarkLee131, I think this is not the correct commit link. apache/struts@74e2683 was committed on 10 January 2016. https://bugzilla.redhat.com/show_bug.cgi?id=1091939 states that the vulnerability was fixed in Apache Struts version 2.3.16.2 and https://nvd.nist.gov/vuln/detail/CVE-2014-0112 says the vulnerability was fixed in 2.3.20. According to https://mvnrepository.com/artifact/org.apache.struts/struts2-core, versions 2.3.16.2 and 2.3.20 were both released in 2014. Therefore, apache/struts@74e2683 is too new to be the fix commit.

This was referenced Apr 16, 2024
Open
Open
@taladrane
Copy link
Collaborator

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

@taladrane taladrane added the Stale label May 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Stale
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@MarkLee131 @shelbyc @taladrane