[TRUNK-6080] Exclude struts-core-1.3.8.jar from the maven dependencies - OpenMRS Issues

XML

Word

Printable

Details

Type: Task
Status: Closed
Priority: Should
Resolution: Fixed
Affects Version/s: Platform 2.5.0
Fix Version/s: Core 2.6.0, Core 2.3.6, Core 2.4.6, Core 2.5.6, Core 2.2.2, Core 2.1.7
Component/s: None
Labels:
None

Complexity:
Low
Development:

9 builds successfulDeployed to Sourceforge Mirror

Description

There is a vulnerability reported on struts-core-1.3.8.jar. And this is coming as part of the org.apache.velocity.velocitytools dependency.

Steps followed to mitigate the vulnerability:

Manually removed the struts-core-1.3.8.jar from the openmrs env.
Restarted the openmrs service.

Application started working fine without any issues, and we tested the basic flows. Everything looks fine.

Raised talk thread for the same.

https://talk.openmrs.org/t/struts-core-1-3-8-security-vulnerability-in-openmrs-core/36523

PR link to exclude the struts-core.1.3.8.jar from the pom.xml

https://github.com/openmrs/openmrs-core/pull/4083

Gliffy Diagrams

Attachments

Activity

People

Assignee:: Himabindu Akkinepalli

Reporter:: Himabindu Akkinepalli

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2022-05-10 11:24:16 GMT

Updated:: 2022-05-31 15:55:45 GMT

Resolved:: 2022-05-31 15:55:45 GMT