Apache Struts Called Out For Incorrect Security Advisories
Apache Struts has repeatedly provided incorrect and incomplete information in the security advisories for the popular open-source web application framework, new research by Synopsys has found. 24 of the 57 security advisories that were covered by the study contained errors in terms of the Apache Struts versions that were said to be impacted by certain security flaws. It turns out that 61 additional versions of the platform were affected by one or more vulnerabilities.
Synopsys said that the errors included both false positives (versions said to be vulnerable were not) and false negatives (impacted versions were not listed), with the latter category representing a very serious issue. “Given that development teams often cache ‘known good’ versions of components in an effort to ensure error-free compilation, under-reporting of impacted versions can have a lasting impact on overall product security,” the report states. The errors have now been fixed and a new Apache Struts Security Advisories page has been published.