There is a vulnerability reported on struts-core-1.3.8.jar. And this is coming as part of the org.apache.velocity.velocitytools dependency.
Steps followed to mitigate the vulnerability:
- Manually removed the struts-core-1.3.8.jar from the openmrs env.
- Restarted the openmrs service.
Application started working fine without any issues, and we tested the basic flows. Everything looks fine.
Raised talk thread for the same.
PR link to exclude the struts-core.1.3.8.jar from the pom.xml