Description

According to NVD, CVE-2017-7525 is a vulnerability in jackson-databind, not Apache Struts. The vulnerability was fixed in FasterXML/jackson-databind#1599. Apache Struts was merely modified in apache/struts@0d42ff5, apache/struts@941374e, and apache/struts@a2824b7 to upgrade to Jackson version 2.9.2.

Should CVE-2017-7525 be curated as a vulnerability in the Apache Struts project?

Description

In the qualitative analysis of archeogit using http-vulnerabilities, we found certain commits that likely contributed to a vulnerability but were not curated as such. The issue is a summary of all such commits for consideration.

• CVE-2013-1966
  • 3f1f9a133bba5739273ebc1212f067eff1613a0f is a contributing commit. 3f1f9a133bba5739273ebc1212f067eff1613a0f did indeed modify the line that was later modified to fix the vulnerability. As a consequence, it is reasonable to characterize it as a contributing commit.
• CVE-2014-0113
  • 0efcc08445720822c2c44a5db426c68a48f0c8aa is a contributing commit. 0efcc08445720822c2c44a5db426c68a48f0c8aa did indeed modify the line that we modified to fix the vulnerability. As a consequence, it is reasonable to expect the commit to be characterized as a contributing commit.
• CVE-2016-4433
  • 86813c1a7214bc002a5d7ce9981a9ef333e27142 is a contributing commit. 86813c1a7214bc002a5d7ce9981a9ef333e27142 did indeed add a method that was modified to add a check in the vulnerability fixing commit.
  • 702738693ce9206f3023903d73094fe1522cb91c is a contributing commit. 702738693ce9206f3023903d73094fe1522cb91c did indeed modify the line that was later modified to fix the vulnerability.
• CVE-2017-5638
  • c01d3a92db7f71f751a0522912d24bcf4a94a1b0 is a contributing commit. c01d3a92db7f71f751a0522912d24bcf4a94a1b0 added the file along with 3,103 other files that was modified to fix the vulnerability. The lines that were modified when fixing the vulnerability were added by this contributing commit.
• CVE-2017-9787
  • 8e9f9fb89ff84e3f383d0aef73443af919c271d7 is a contributing commit. 8e9f9fb89ff84e3f383d0aef73443af919c271d7 did indeed modify the code in core/src/main/java/com/opensymphony/xwork2/interceptor/ChainingInterceptor.java that was eventually modified to fix the vulnerability. Furthermore, the commit message of the contributing commit is also indicative of the type of change the commit is contributing and the description of the vulnerability is also on the same functionality.
• CVE-2017-9804
  • 931df54ab379bf4eb5a625bf05066b8563c3737b is a contributing commit. 931df54ab379bf4eb5a625bf05066b8563c3737b did indeed add the regular expression (DEFAULT_URL_REGEX) which was specifically modified in both commits that fixed the vulnerability.
• CVE-2017-12611
  • 97f531cee67fb23cd92dceb86f170cd683dfd955 is a contributing commit. Although 97f531cee67fb23cd92dceb86f170cd683dfd955 added comments that were deleted when 5a0f2e1aaf8d420bd74033175e6e459883160487 fixed the vulnerability, there are lines that were added by the contributing commit that had to be modified to fix the vulnerability. As a consequence, it is reasonable to characterize 97f531cee67fb23cd92dceb86f170cd683dfd955 as a contributing commit.