Closed idarlund closed 6 months ago
Thanks for your PR @idarlund !
Because this issue was fixed and reported upon on 6 days ago (https://struts.apache.org/announce-2023#a20231207-1), I wouldn't consider it appropriate for a notice. Since this service primarily aims to warn administrators to take immediate action, my guideline is that the high-impact vulnerability needs to have been announced or found within the last 24 hours, unless there are special circumstances (e.g. the vulnerability has been found to be more trivial to exploit than initially realized, etc).
If I'm missing something please let me know, but for now I'm going to close your PR. You have my sincere gratitude for taking the time to write it up though.
Sure no worries.
The vulnerability in Struts is 6 days old, but this seems to be an emerging vulnerability since it's in a framework. Cisco just released their bulletin, it seems Atlassian are quiet but probably impacted and Shadow Server are seeing active exploitation at the moment: https://twitter.com/Shadowserver/status/1734919288257974380
There's also published a POC here on github 9 hours ago: https://github.com/jakabakos/CVE-2023-50164-Apache-Struts-RCE
Thanks, I appreciate the information. In this particular case I'm still going to say that I'll leave the PR closed. It just looks like there is considerable amount of chatter online about this particular vulnerability and all of the usual lists have already sent their warnings (even governmental agencies which are normally quite slow on the uptake). For this reason I think bug alert has already missed its window to be effective.
Again, I appreciate your contribution!
Added notice about Apache Struts RCE CVE-2023-50164