[GHSA-cx25-xg7c-xfm5] Apache Struts Extras Before 2 has an Improper Output Neutralization for Logs Vulnerability #6412
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR updates the security advisory GHSA-cx25-xg7c-xfm5 to include affected versions for Apache Struts 1.2.x with a different Maven groupId. The key changes address the distinction between Struts 1.2.x and 1.3.x package coordinates.
Key Changes:
- Added a new affected package entry for
struts:struts(groupId for Struts 1.2.x) - Updated the modification timestamp to reflect the changes
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "introduced": "1.2.0" | ||
| }, | ||
| { | ||
| "fixed": "<= 1.2.9" |
There was a problem hiding this comment.
The 'fixed' field should contain the version where the vulnerability was fixed, not a range expression. The value '<= 1.2.9' indicates vulnerable versions, not the fixed version. This field should either contain a specific version number like '1.2.10' (if that's the fixed version) or be replaced with a 'last_affected' field set to '1.2.9'.
| "fixed": "<= 1.2.9" | |
| "last_affected": "1.2.9" |
Updates
Comments
struts 1.2.x has a different groupId then struts 1.3.x