Uploaded image for project: 'OpenMRS Core'
  1. OpenMRS Core
  2. TRUNK-6080

Exclude struts-core-1.3.8.jar from the maven dependencies

    XMLWordPrintable

    Details

      Description

      There is a vulnerability reported on struts-core-1.3.8.jar. And this is coming as part of the org.apache.velocity.velocitytools dependency. 

      Steps followed to mitigate the vulnerability:

      1. Manually removed the struts-core-1.3.8.jar from the openmrs env.
      2. Restarted the openmrs service.

      Application started working fine without any issues, and we tested the basic flows. Everything looks fine. 

      Raised talk thread for the same.

      https://talk.openmrs.org/t/struts-core-1-3-8-security-vulnerability-in-openmrs-core/36523

      PR link to exclude the struts-core.1.3.8.jar from the pom.xml

      https://github.com/openmrs/openmrs-core/pull/4083

       

        Gliffy Diagrams

          Attachments

            Activity

              People

              Assignee:
              binduak Himabindu Akkinepalli
              Reporter:
              binduak Himabindu Akkinepalli
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: