This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new f474025 Automatic Site Publish by Buildbot
f474025 is described below
commit f474025c4a392248388402acad005076ec244d07
Author: buildbot <us...@infra.apache.org>
AuthorDate: Thu Aug 13 10:45:53 2020 +0000
Automatic Site Publish by Buildbot
---
output/announce.html | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/output/announce.html b/output/announce.html
index 3191dd8..1444b0e 100644
--- a/output/announce.html
+++ b/output/announce.html
@@ -153,7 +153,7 @@
By design, Struts 2 allows developers to utilize forced double evaluation for
certain tag attributes.
When used with unvalidated, user modifiable input, malicious OGNL expressions
may be injected.
In an ongoing effort, the Struts framework includes mitigations for limiting
the impact of injected expressions, but Struts before 2.5.22 left an attack
vector open which is addressed by this report.
-<strong>However, we continue to urge developers building upon Struts 2 to <a
href="https://struts.apache.org/security/#use-struts-tags-instead-of-raw-el-expressions";>not
use <code class="highlighter-rouge">%{...}</code> syntax referencing
unvalidated user modifiable input in tag attributes </a>, since this is the
ultimate fix for this class of vulnerabilities.</strong></p>
+<strong>However, we continue to urge developers building upon Struts 2 to <a
href="https://struts.apache.org/security/#use-struts-tags-instead-of-raw-el-expressions";>not
use <code class="highlighter-rouge">%{...}</code> or <code
class="highlighter-rouge">${...}</code> syntax referencing unvalidated user
modifiable input in tag attributes </a>, since this is the ultimate fix for
this class of vulnerabilities.</strong></p>
<p><a
href="https://cwiki.apache.org/confluence/display/ww/s2-060";>CVE-2019-0233</a>
has been reported by Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
In Struts before 2.5.22, when a file upload is performed to an Action that
exposes the file with a getter, an attacker may manipulate the request such
that the working copy of the uploaded file or even the container temporary
upload directory may be set to read-only access. As a result, subsequent
actions on the file or file uploads in general will fail with an error.</p>
