[struts-site] branch master updated: Add ignores for VS Code and Eclipse
This is an automated email from the ASF dual-hosted git repository. rgielen pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/struts-site.git The following commit(s) were added to refs/heads/master by this push: new 4accab4 Add ignores for VS Code and Eclipse 4accab4 is described below commit 4accab4a8528b6ea991b3da803431edd6ed447f2 Author: Rene Gielen AuthorDate: Thu Aug 13 09:59:23 2020 +0200 Add ignores for VS Code and Eclipse --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index cca73da..1569020 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,5 @@ target .bundle .jekyll-metadata _site +.project +.settings/
Buildbot success in on jekyll_websites
The Buildbot has detected a passing build on builder jekyll_websites while building struts. Full details are available at: https://ci2.apache.org/#builders/7/builds/162 Buildbot URL: https://ci2.apache.org/ Worker for this Build: bb_slave10_ubuntu Build Reason: Triggered jekyll auto-build via .asf.yaml by rgielen Blamelist: asfinfra, commits@struts.apache.org Build succeeded! Sincerely, -The Buildbot
[struts-site] branch master updated: Adjust docker scripts and docs to remove start errors (bash) and allow local serving
This is an automated email from the ASF dual-hosted git repository. rgielen pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/struts-site.git The following commit(s) were added to refs/heads/master by this push: new 6ec8abe Adjust docker scripts and docs to remove start errors (bash) and allow local serving 6ec8abe is described below commit 6ec8abe20f37735ae38c9105f86458abb2abeece Author: Rene Gielen AuthorDate: Thu Aug 13 12:08:14 2020 +0200 Adjust docker scripts and docs to remove start errors (bash) and allow local serving --- README.md | 2 ++ docker-run.fish | 2 +- docker-run.sh | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 70cf0da..d9425c0 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,8 @@ when running `fish-shell`, or: when running `Bash` or `Sh`. +The continuously generated website can then be accessed at http://localhost:4000 + All pages are generated into the `content` folder. There are two scripts used to build the image but this should be used only when `Dockerfile` was modified. diff --git a/docker-run.fish b/docker-run.fish index f9fc341..94e0a88 100755 --- a/docker-run.fish +++ b/docker-run.fish @@ -1,3 +1,3 @@ #!/usr/local/bin/fish -docker run --rm -v $PWD:/srv/jekyll -it jekyll/jekyll:3.8 jekyll serve --watch --trace --force_polling --incremental +docker run --rm -v $PWD:/srv/jekyll -it -p 4000:4000 jekyll/jekyll:3.8 jekyll serve --watch --trace --host 0.0.0.0 --force_polling --incremental diff --git a/docker-run.sh b/docker-run.sh index 70011ab..ff1efab 100755 --- a/docker-run.sh +++ b/docker-run.sh @@ -1,5 +1,5 @@ #!/bin/sh -export JEKYLL_VERSION 3.8 +export JEKYLL_VERSION=3.8 -docker run --rm -v $PWD:/srv/jekyll -it jekyll/jekyll:$JEKYLL_VERSION jekyll serve --watch --trace --host=0.0.0.0 --force_polling --incremental +docker run --rm -v $PWD:/srv/jekyll -it -p 4000:4000 jekyll/jekyll:$JEKYLL_VERSION jekyll serve --watch --trace --host 0.0.0.0 --force_polling --incremental
Buildbot success in on jekyll_websites
The Buildbot has detected a passing build on builder jekyll_websites while building struts. Full details are available at: https://ci2.apache.org/#builders/7/builds/163 Buildbot URL: https://ci2.apache.org/ Worker for this Build: bb_slave10_ubuntu Build Reason: Triggered jekyll auto-build via .asf.yaml by rgielen Blamelist: asfinfra, commits@struts.apache.org Build succeeded! Sincerely, -The Buildbot
[struts-site] 02/02: Add Announcement 2020-08-13
This is an automated email from the ASF dual-hosted git repository.
rgielen pushed a commit to branch announcement-202008
in repository https://gitbox.apache.org/repos/asf/struts-site.git
commit 53faadb0de5f65a83e493fb0a6042f64f5d13f44
Author: Rene Gielen
AuthorDate: Thu Aug 13 12:06:45 2020 +0200
Add Announcement 2020-08-13
---
source/announce.md | 48
source/index.html | 40
2 files changed, 68 insertions(+), 20 deletions(-)
diff --git a/source/announce.md b/source/announce.md
new file mode 100644
index 000..daf589e
--- /dev/null
+++ b/source/announce.md
@@ -0,0 +1,48 @@
+---
+layout: default
+title: Announcements 2020
+---
+
+# Announcements 2020
+{:.no_toc}
+
+* Will be replaced with the ToC, excluding a header
+{:toc}
+
+
+ Skip to: Announcements - 2019
+
+
+ 13 August 2020 - Security Advice: Announcing CVE-2019-0230 (Possible RCE)
and CVE-2019-0233 (DoS) security issues {#a20200813}
+
+Two new [Struts Security
Bulletins](https://cwiki.apache.org/confluence/display/WW/Security+Bulletin)
have been issued for Struts 2 by the Apache Struts Security Team:
+
+* [S2-059](https://cwiki.apache.org/confluence/display/ww/s2-059) - Forced
double OGNL evaluation, when evaluated on raw user input in tag attributes, may
lead to remote code execution (CVE-2019-0230)
+* [S2-060](https://cwiki.apache.org/confluence/display/ww/s2-060) - Access
permission override causing a Denial of Service when performing a file upload
(CVE-2019-0233)
+
+Both issues affect Apache Struts in the version range 2.0.0 - 2.5.20. The
current version 2.5.22, which was released in November 2019, is not affected.
+
+[CVE-2019-0230](https://cwiki.apache.org/confluence/display/ww/s2-059) has
been reported by Matthias Kaiser, Apple Information Security.
+By design, Struts 2 allows developers to utilize forced double evaluation for
certain tag attributes.
+When used with unvalidated, user modifiable input, malicious OGNL expressions
may be injected.
+In an ongoing effort, the Struts framework includes mitigations for limiting
the impact of injected expressions, but Struts before 2.5.22 left an attack
vector open which is addressed by this report.
+**However, we continue to urge developers building upon Struts 2 to [not use
`%{...}` syntax referencing unvalidated user modifiable input in tag attributes
](https://struts.apache.org/security/#use-struts-tags-instead-of-raw-el-expressions),
since this is the ultimate fix for this class of vulnerabilities.**
+
+[CVE-2019-0233](https://cwiki.apache.org/confluence/display/ww/s2-060) has
been reported by Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
+In Struts before 2.5.22, when a file upload is performed to an Action that
exposes the file with a getter, an attacker may manipulate the request such
that the working copy of the uploaded file or even the container temporary
upload directory may be set to read-only access. As a result, subsequent
actions on the file or file uploads in general will fail with an error.
+
+Both issues are already fixed in Apache Struts
[2.5.22](https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22),
which was released in November 2019.
+
+**We strongly recommend all users to [upgrade](download.cgi#struts-ga) to
Struts 2.5.22, if this has not been done already.**
+
+The Apache Struts Security Team would like to thank the reporters for their
efforts and their practice of responsible disclosure, as well as their help
while investigating the report and coordinating public disclosure.
+
+
+
+ Skip to: Announcements - 2019
+
+
+
+ Next:
+ Kickstart FAQ
+
diff --git a/source/index.html b/source/index.html
index 8eb9c79..821aee3 100644
--- a/source/index.html
+++ b/source/index.html
@@ -31,23 +31,39 @@ title: Welcome to the Apache Struts project
+Security Advice S2-058 released
+
+A number of historic Struts Security Bulletins and related CVE
database entries contained incorrect affected release version ranges.
+Read more in
+ Announcement
+
+
+
Apache Struts {{ site.current_version }} GA
Apache Struts {{ site.current_version }} GA has been releasedon
{{ site.release_date }}.
-Read more in Announcement or in
+Read more in Announcement or in
Version notes
+
+
+
+Apache Struts 2.3.x EOL
+
+ The Apache Struts Team informs about discontinuing support for
Struts 2.3.x branch, we recommend migration
+ to the latest version of Struts, read more in
+ Announcement
+
+
Apache Struts {{ site.prev_version }} GA
It's the latest release of Struts 2.3.x which contains the latest
security fixes,
- released on {{ site.prev_release_date }}. Read more in Announc
[struts-site] branch announcement-202008 created (now 53faadb)
This is an automated email from the ASF dual-hosted git repository. rgielen pushed a change to branch announcement-202008 in repository https://gitbox.apache.org/repos/asf/struts-site.git. at 53faadb Add Announcement 2020-08-13 This branch includes the following new commits: new 5059bd1 Make current 2019 announcement page archived new 53faadb Add Announcement 2020-08-13 The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
[struts-site] 01/02: Make current 2019 announcement page archived
This is an automated email from the ASF dual-hosted git repository.
rgielen pushed a commit to branch announcement-202008
in repository https://gitbox.apache.org/repos/asf/struts-site.git
commit 5059bd1986eae537a20ab921253a8f9286d49af5
Author: Rene Gielen
AuthorDate: Thu Aug 13 10:04:02 2020 +0200
Make current 2019 announcement page archived
---
source/{announce.md => announce-2019.md} | 0
1 file changed, 0 insertions(+), 0 deletions(-)
diff --git a/source/announce.md b/source/announce-2019.md
similarity index 100%
rename from source/announce.md
rename to source/announce-2019.md
[struts-site] 01/02: Make current 2019 announcement page archived
This is an automated email from the ASF dual-hosted git repository.
rgielen pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/struts-site.git
commit 82f2b508346124b3907f399cca8ff5f678f4aa9d
Author: Rene Gielen
AuthorDate: Thu Aug 13 10:04:02 2020 +0200
Make current 2019 announcement page archived
---
source/{announce.md => announce-2019.md} | 0
1 file changed, 0 insertions(+), 0 deletions(-)
diff --git a/source/announce.md b/source/announce-2019.md
similarity index 100%
rename from source/announce.md
rename to source/announce-2019.md
[struts-site] 02/02: Add Announcement 2020-08-13
This is an automated email from the ASF dual-hosted git repository.
rgielen pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/struts-site.git
commit 166f72eb8ea5fbf0ab6b57483f46630235c0a6a5
Author: Rene Gielen
AuthorDate: Thu Aug 13 12:06:45 2020 +0200
Add Announcement 2020-08-13
---
source/announce.md | 48
source/index.html | 40
2 files changed, 68 insertions(+), 20 deletions(-)
diff --git a/source/announce.md b/source/announce.md
new file mode 100644
index 000..daf589e
--- /dev/null
+++ b/source/announce.md
@@ -0,0 +1,48 @@
+---
+layout: default
+title: Announcements 2020
+---
+
+# Announcements 2020
+{:.no_toc}
+
+* Will be replaced with the ToC, excluding a header
+{:toc}
+
+
+ Skip to: Announcements - 2019
+
+
+ 13 August 2020 - Security Advice: Announcing CVE-2019-0230 (Possible RCE)
and CVE-2019-0233 (DoS) security issues {#a20200813}
+
+Two new [Struts Security
Bulletins](https://cwiki.apache.org/confluence/display/WW/Security+Bulletin)
have been issued for Struts 2 by the Apache Struts Security Team:
+
+* [S2-059](https://cwiki.apache.org/confluence/display/ww/s2-059) - Forced
double OGNL evaluation, when evaluated on raw user input in tag attributes, may
lead to remote code execution (CVE-2019-0230)
+* [S2-060](https://cwiki.apache.org/confluence/display/ww/s2-060) - Access
permission override causing a Denial of Service when performing a file upload
(CVE-2019-0233)
+
+Both issues affect Apache Struts in the version range 2.0.0 - 2.5.20. The
current version 2.5.22, which was released in November 2019, is not affected.
+
+[CVE-2019-0230](https://cwiki.apache.org/confluence/display/ww/s2-059) has
been reported by Matthias Kaiser, Apple Information Security.
+By design, Struts 2 allows developers to utilize forced double evaluation for
certain tag attributes.
+When used with unvalidated, user modifiable input, malicious OGNL expressions
may be injected.
+In an ongoing effort, the Struts framework includes mitigations for limiting
the impact of injected expressions, but Struts before 2.5.22 left an attack
vector open which is addressed by this report.
+**However, we continue to urge developers building upon Struts 2 to [not use
`%{...}` syntax referencing unvalidated user modifiable input in tag attributes
](https://struts.apache.org/security/#use-struts-tags-instead-of-raw-el-expressions),
since this is the ultimate fix for this class of vulnerabilities.**
+
+[CVE-2019-0233](https://cwiki.apache.org/confluence/display/ww/s2-060) has
been reported by Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
+In Struts before 2.5.22, when a file upload is performed to an Action that
exposes the file with a getter, an attacker may manipulate the request such
that the working copy of the uploaded file or even the container temporary
upload directory may be set to read-only access. As a result, subsequent
actions on the file or file uploads in general will fail with an error.
+
+Both issues are already fixed in Apache Struts
[2.5.22](https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22),
which was released in November 2019.
+
+**We strongly recommend all users to [upgrade](download.cgi#struts-ga) to
Struts 2.5.22, if this has not been done already.**
+
+The Apache Struts Security Team would like to thank the reporters for their
efforts and their practice of responsible disclosure, as well as their help
while investigating the report and coordinating public disclosure.
+
+
+
+ Skip to: Announcements - 2019
+
+
+
+ Next:
+ Kickstart FAQ
+
diff --git a/source/index.html b/source/index.html
index 8eb9c79..821aee3 100644
--- a/source/index.html
+++ b/source/index.html
@@ -31,23 +31,39 @@ title: Welcome to the Apache Struts project
+Security Advice S2-058 released
+
+A number of historic Struts Security Bulletins and related CVE
database entries contained incorrect affected release version ranges.
+Read more in
+ Announcement
+
+
+
Apache Struts {{ site.current_version }} GA
Apache Struts {{ site.current_version }} GA has been releasedon
{{ site.release_date }}.
-Read more in Announcement or in
+Read more in Announcement or in
Version notes
+
+
+
+Apache Struts 2.3.x EOL
+
+ The Apache Struts Team informs about discontinuing support for
Struts 2.3.x branch, we recommend migration
+ to the latest version of Struts, read more in
+ Announcement
+
+
Apache Struts {{ site.prev_version }} GA
It's the latest release of Struts 2.3.x which contains the latest
security fixes,
- released on {{ site.prev_release_date }}. Read more in Announcement or in
+
[struts-site] branch master updated (6ec8abe -> 166f72e)
This is an automated email from the ASF dual-hosted git repository.
rgielen pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/struts-site.git.
from 6ec8abe Adjust docker scripts and docs to remove start errors (bash)
and allow local serving
new 82f2b50 Make current 2019 announcement page archived
new 166f72e Add Announcement 2020-08-13
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
source/{announce.md => announce-2019.md} | 0
source/announce.md | 155 ---
source/index.html| 40
3 files changed, 38 insertions(+), 157 deletions(-)
copy source/{announce.md => announce-2019.md} (100%)
[struts-site] branch asf-site updated: Automatic Site Publish by Buildbot
This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 9084f62 Automatic Site Publish by Buildbot
9084f62 is described below
commit 9084f6260f88a20fd9c77a5df14cc5bd9e96e828
Author: buildbot
AuthorDate: Thu Aug 13 10:13:09 2020 +
Automatic Site Publish by Buildbot
---
output/{announce.html => announce-2019.html} | 2 +-
output/announce.html | 168 +++
output/index.html| 40 +++
3 files changed, 40 insertions(+), 170 deletions(-)
diff --git a/output/announce.html b/output/announce-2019.html
similarity index 99%
copy from output/announce.html
copy to output/announce-2019.html
index 2a620cd..9ec6e55 100644
--- a/output/announce.html
+++ b/output/announce-2019.html
@@ -126,7 +126,7 @@
-https://github.com/apache/struts-site/edit/master/source/announce.md";
title="Edit this page on GitHub">Edit on GitHub
+https://github.com/apache/struts-site/edit/master/source/announce-2019.md";
title="Edit this page on GitHub">Edit on GitHub
Announcements 2019
diff --git a/output/announce.html b/output/announce.html
index 2a620cd..3191dd8 100644
--- a/output/announce.html
+++ b/output/announce.html
@@ -7,7 +7,7 @@
- Announcements 2019
+ Announcements 2020
@@ -128,174 +128,44 @@
https://github.com/apache/struts-site/edit/master/source/announce.md";
title="Edit this page on GitHub">Edit on GitHub
-Announcements 2019
+Announcements 2020
- 29 November 2019 -
Struts 2.5.22 General Availability
- 12 September 2019 -
Struts 2.3.x reached End-Of-Life
- 15 August 2019 -
Security Advice: Announcing corrected affected version ranges in historic
Apache Struts security bulletins and CVE entries
- 14 January 2019 -
Struts 2.5.20 General Availability
- 30 December 2018 -
Struts 2.3.37 General Availability
+ 13 August 2020 -
Security Advice: Announcing CVE-2019-0230 (Possible RCE) and CVE-2019-0233
(DoS) security issues
- Skip to: Announcements - 2018
+ Skip to: Announcements - 2019
-29 November 2019 - Struts 2.5.22 General Availability
+13 August 2020 - Security Advice: Announcing CVE-2019-0230
(Possible RCE) and CVE-2019-0233 (DoS) security issues
-The Apache Struts group is pleased to announce that Struts 2.5.22 is
available as a “General Availability”
-release. The GA designation is our highest quality grade.
-
-Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications.
-The framework is designed to streamline the full development cycle, from
building, to deploying,
-to maintaining applications over time.
-
-
- Please be aware of new security enhancements added to the version of
Struts, they are disabled by default
-but please consider enabling them to increase safety of you application. You
will find more details in our
-Security Guide.
-
-
-Below is a full list of all changes:
+Two new https://cwiki.apache.org/confluence/display/WW/Security+Bulletin";>Struts
Security Bulletins have been issued for Struts 2 by the Apache Struts
Security Team:
- File upload fails from certain clients
- Not existing property in listValueKey throws exception
- Can’t get OgnlValueStack log even if enable logMissingProperties
- No more calling of a static variable in Struts 2.8.20 available
- NullPointerException in ProxyUtil class when accessing static member
- EmptyStackException in JSON plugin due to concurrency
- Tiles bug when parsing file:// URLs including # as part of the URL
- Accessing static variable via OGNL returns nothing
- HttpParameters.Builder can wrap objects in two layers of Parameters
- Binding Integer Array upon form submission
- Double-submit of TokenSessionStoreInterceptor broken since 2.5.16
- xerces tries to load resources from the internet
- Dispatcher prints stacktraces directly to the console
- The content allowed-methods tag of the XML configuration is sometimes
truncated
- OGNL: An illegal reflective access operation has occurred
- java.lang.reflect.InvocationTargetException - Class:
com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector
- Struts2 convention plugin lacks Java 11 support
- Upgrade SLF4J to latest 1.7.x version
- Minor enhancement/fix to AbstractLocalizedTextProvider
- Provide mechanism to clear OgnlUtil caches
- Struts 2 unit testing using StrutTestCase class
- Upgrade Jackson library to the latest version
- Upgrade to OGNL version 3.1.22
- Update a few Struts 2.5.x libraries to more recent versions
- Upgrade commons-beanutils to version 1.9.4
- Upgrade jackson-databind to version 2.9.9.3
- Upgrade to OGNL 3.1.26 and adapt to its new features
+ https://cwiki.apache.org/confluence/display/ww/s2-059";>S2-059
Buildbot success in on jekyll_websites
The Buildbot has detected a passing build on builder jekyll_websites while building struts. Full details are available at: https://ci2.apache.org/#builders/7/builds/164 Buildbot URL: https://ci2.apache.org/ Worker for this Build: bb_slave10_ubuntu Build Reason: Triggered jekyll auto-build via .asf.yaml by rgielen Blamelist: asfinfra, commits@struts.apache.org Build succeeded! Sincerely, -The Buildbot
Buildbot success in on jekyll_websites
The Buildbot has detected a passing build on builder jekyll_websites while building struts. Full details are available at: https://ci2.apache.org/#builders/7/builds/165 Buildbot URL: https://ci2.apache.org/ Worker for this Build: bb_slave10_ubuntu Build Reason: Triggered jekyll auto-build via .asf.yaml by rgielen Blamelist: asfinfra, commits@struts.apache.org Build succeeded! Sincerely, -The Buildbot
[struts-site] branch master updated: Add $-syntax to announcement
This is an automated email from the ASF dual-hosted git repository.
rgielen pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/master by this push:
new d7a07ec Add $-syntax to announcement
d7a07ec is described below
commit d7a07ec8bf0da37593f106e7633e64298747d679
Author: Rene Gielen
AuthorDate: Thu Aug 13 12:44:54 2020 +0200
Add $-syntax to announcement
---
source/announce.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source/announce.md b/source/announce.md
index daf589e..a6a543c 100644
--- a/source/announce.md
+++ b/source/announce.md
@@ -26,7 +26,7 @@ Both issues affect Apache Struts in the version range 2.0.0 -
2.5.20. The curren
By design, Struts 2 allows developers to utilize forced double evaluation for
certain tag attributes.
When used with unvalidated, user modifiable input, malicious OGNL expressions
may be injected.
In an ongoing effort, the Struts framework includes mitigations for limiting
the impact of injected expressions, but Struts before 2.5.22 left an attack
vector open which is addressed by this report.
-**However, we continue to urge developers building upon Struts 2 to [not use
`%{...}` syntax referencing unvalidated user modifiable input in tag attributes
](https://struts.apache.org/security/#use-struts-tags-instead-of-raw-el-expressions),
since this is the ultimate fix for this class of vulnerabilities.**
+**However, we continue to urge developers building upon Struts 2 to [not use
`%{...}` or `${...}` syntax referencing unvalidated user modifiable input in
tag attributes
](https://struts.apache.org/security/#use-struts-tags-instead-of-raw-el-expressions),
since this is the ultimate fix for this class of vulnerabilities.**
[CVE-2019-0233](https://cwiki.apache.org/confluence/display/ww/s2-060) has
been reported by Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
In Struts before 2.5.22, when a file upload is performed to an Action that
exposes the file with a getter, an attacker may manipulate the request such
that the working copy of the uploaded file or even the container temporary
upload directory may be set to read-only access. As a result, subsequent
actions on the file or file uploads in general will fail with an error.
[struts-site] branch asf-site updated: Automatic Site Publish by Buildbot
This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new f474025 Automatic Site Publish by Buildbot
f474025 is described below
commit f474025c4a392248388402acad005076ec244d07
Author: buildbot
AuthorDate: Thu Aug 13 10:45:53 2020 +
Automatic Site Publish by Buildbot
---
output/announce.html | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/output/announce.html b/output/announce.html
index 3191dd8..1444b0e 100644
--- a/output/announce.html
+++ b/output/announce.html
@@ -153,7 +153,7 @@
By design, Struts 2 allows developers to utilize forced double evaluation for
certain tag attributes.
When used with unvalidated, user modifiable input, malicious OGNL expressions
may be injected.
In an ongoing effort, the Struts framework includes mitigations for limiting
the impact of injected expressions, but Struts before 2.5.22 left an attack
vector open which is addressed by this report.
-However, we continue to urge developers building upon Struts 2 to https://struts.apache.org/security/#use-struts-tags-instead-of-raw-el-expressions";>not
use %{...} syntax referencing
unvalidated user modifiable input in tag attributes , since this is the
ultimate fix for this class of vulnerabilities.
+However, we continue to urge developers building upon Struts 2 to https://struts.apache.org/security/#use-struts-tags-instead-of-raw-el-expressions";>not
use %{...} or ${...} syntax referencing unvalidated user
modifiable input in tag attributes , since this is the ultimate fix for
this class of vulnerabilities.
https://cwiki.apache.org/confluence/display/ww/s2-060";>CVE-2019-0233
has been reported by Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
In Struts before 2.5.22, when a file upload is performed to an Action that
exposes the file with a getter, an attacker may manipulate the request such
that the working copy of the uploaded file or even the container temporary
upload directory may be set to read-only access. As a result, subsequent
actions on the file or file uploads in general will fail with an error.
