Publish GHSA-qw4h-3xjj-84cc

advisory-database[bot] · advisory-database[bot] · commit 0be1849ef488 · 2025-11-04T18:14:16.000Z
diff --git a/advisories/github-reviewed/2023/12/GHSA-qw4h-3xjj-84cc/GHSA-qw4h-3xjj-84cc.json b/advisories/github-reviewed/2023/12/GHSA-qw4h-3xjj-84cc/GHSA-qw4h-3xjj-84cc.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-qw4h-3xjj-84cc",
-  "modified": "2023-12-11T21:45:42Z",
+  "modified": "2025-11-04T18:12:32Z",
   "published": "2023-12-01T00:31:00Z",
   "aliases": [
     "CVE-2023-49735"
   ],
   "summary": "Apache Tiles: Unvalidated input may lead to path traversal and XXE",
-  "details": "The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. Passing user-controlled data to this key may be relatively common, as it was also used like that to set the language in the 'tiles-test' application shipped with Tiles.\n\nThis issue affects Apache Tiles from version 2 onwards.\n\nNOTE: This vulnerability only affects products that are no longer supported by the maintainer.\n\n",
+  "details": "The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. Passing user-controlled data to this key may be relatively common, as it was also used like that to set the language in the 'tiles-test' application shipped with Tiles.\n\nThis issue affects Apache Tiles from version 2 onwards.\n\nNOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -30,6 +30,44 @@
           ]
         }
       ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.struts:struts-tiles"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.3.0"
+            },
+            {
+              "last_affected": "1.3.10"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "struts:struts"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.1"
+            },
+            {
+              "last_affected": "1.2.9"
+            }
+          ]
+        }
+      ]
     }
   ],
   "references": [
