I hope someone one here help me find an answer. Basically I am researching struts_1 (not two) and want to find something from the Stuts team that acknowledges the
recognize the vulnerability CVE-2016-1182. I have completed some research and find such things as
Why would you expect them to acknowledge this? Struts 1 was EOL long before this, so why would they spend time on it, especially when external researchers have already done that? Obviously, it won't be fixed. Why do you "need something where the Struts folks accept it"? What difference does that make?
IMO, anyone who uses Struts 1 at this point should be charged with criminal negligence if something happens because of it.
posted 1 month ago
Thanks for the reply. I am doing some research on the struts_1 framework and more specifically CVE-2016-1182. I totally get what you are saying, but I am trying to form a paper-trail to the vulnerability (CVE-2016-1182) for my Masters research.
I just need link document where Apache recognize the issue. I believe it was never fixed..so just the acknowledgement, something more concrete that this >> https://www.securityfocus.com/bid/91067
If you are familiar and can help me, i would greatly appreciate it
One of the things that "End of Life" means is that the creator/vendor no longer supports that version of the product. I'm pretty sure that Struts 1 was LONG past end-of-life before the date of the official filing listed at the site you mentioned. So very unlikely that it was ever repaired by Apache. Any ameliorations would have been done by secondary vendors such as IBM.
It says that the vulnerability was reported by the vendor, so if you want to research its discovery, you should go to apache.org and rummage through the Struts incident-tracking database. Click the "References" tab on the incident report page to get a list of hyperlinks relating to the filing and fixes. The very first one is the struts.apache.org link and there's a pull-down menu to access their issue data from there.
An IDE is no substitute for an Intelligent Developer.
There are 10 kinds of people in this world. Those that understand binary get this tiny ad: