Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59708

please update Struts version or commons-fileupload-1.3.1-jenkins-2. jar

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Component/s: _unsorted
    • Labels:
      None
    • Environment:
      /var/cache/jenkins/war/WEB-INF/lib/commons-fileupload-1.3.1-jenkins-2.jar
      Jenkins version 2.190.1 on centos 7
    • Similar Issues:

      Description

      https://mail-archives.us.apache.org/mod_mbox/www-announce/201811.mbox/%3CCAMopvkMo8WiP%3DfqVQuZ1Fyx%3D6CGz0Epzfe0gG5XAqP1wdJCoBQ%40mail.gmail.com%3E?spm=a2c4g.11174386.n2.6.425f10511kFtsm&file=%3CCAMopvkMo8WiP%3DfqVQuZ1Fyx%3D6CGz0Epzfe0gG5XAqP1wdJCoBQ%40mail.gmail.com%3E

      The Apache Struts Team recommends to immediately upgrade your Struts
      2.3.36 based projects to use the latest released version of Commons
      FileUpload library, which is currently 1.3.3. This is necessary to
      prevent your publicly accessible web site from being exposed to
      possible Remote Code Execution attacks (see [1] [2]).

      This affects Struts 2.3.36 and prior. Struts versions from 2.5.12 are
      already using the latest commons-fileupload version [3].

      Your project is affected if it uses the built-in file upload mechanism
      of Struts 2, which defaults to the use of commons-fileupload. The
      updated commons-fileupload library is a drop-in replacement for the
      vulnerable version. Deployed applications can be hardened by replacing
      the commons-fileupload jar file in WEB-INF/lib with the fixed jar. For
      Maven based Struts 2 projects, the following dependency needs to be
      added:

      <dependency>
      <groupId>commons-fileupload</groupId>
      <artifactId>commons-fileupload</artifactId>
      <version>1.3.3</version>
      </dependency>

      More details can be found here:

      [1] https://issues.apache.org/jira/browse/FILEUPLOAD-279
      [2] https://nvd.nist.gov/vuln/detail/CVE-2016-1000031
      [3] https://issues.apache.org/jira/browse/WW-4812

      All developers are strongly advised to perform this action.

      on behalf of the Apache Struts Team

      Kind regards

      Ɓukasz
      + 48 606 323 122 http://www.lenart.org.pl/

        Attachments

          Activity

          There are no comments yet on this issue.

            People

            • Assignee:
              Unassigned
              Reporter:
              blankhang blank hang
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: