CVE-2012-1007 - Not Affected
Parameters of the Struts Example Application are vulnerable to XSS.
Yellowfin does not ship with the Struts Example Application, and are not affected by the vulnerable parameters described here.
CVE-2013-2115 - Not Affected
Improper handling when using the includeParams attribute can lead to remote command execution with Apache Struts 2 before 2.3.14.2.
The includeParams attribute is not part of the Struts 1.x framework.
CVE-2013-1966 - Not Affected
Improper handling when using the includeParams attribute can lead to remote command execution with Apache Struts 2 before 2.3.14.1.
The includeParams attribute is not part of the Struts 1.x framework.
CVE-2014-0114 - Not Affected
Failure to suppress the class property allows for remote attackers to execute arbitrary code through the class parameter.
This exploit was patched in Struts 1.3.10.12fc. This item was tested by the Yellowfin Security team and has been confirmed as Not Affected.
CVE-2015-0899 - Not Affected
Vulnerability in the MultiPageValidator allows bypassing access restrictions via modified page parameter.
This exploit was patched in Struts 1.3.10.14fc. A source code analysis confirmed that we do not utilize the MultiPageValidator class within our application.
CVE-2016-0785
Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute.
Struts 1.x uses a different tags system that is not compatible with Struts 2.x. The vulnerable sequence is part of the Struts 2.x tag syntax.
CVE-2016-1181 - Not Affected
A vulnerability in ActionServlet.java that mishandles multithreaded access, allowing for code execution or DoS.
This item was patched in Struts 1.3.10.19fc. We have applied a static patch to our bundled version of Struts 1.3.10.17fc to address this. A source code analysis also revealed we are not utilizing the vulnerable classes.
CVE-2016-1182 - Not Affected
A vulnerability in ActionServlet.java allows XSS by improperly restricting the Validator configuration.
This item was patched in Struts 1.3.10.19fc. We have applied a static patch to our bundled version of Struts 1.3.10.17fc to address this. A source code analysis also revealed we are not utilizing the vulnerable classes.
CVE-2017-5638 - Not Affected
This relates to a vulnerability in Struts 2 using the Jakarta Multipart parser. It allows Content-type HTTP headers to be injected with a command string that executes remote code on the server.
This vulnerability is specific to the JakartaMultiPartRequest class, which is not part of the Struts 1.x framework.
CVE-2017-9805 - Not Affected
A vulnerability in the REST Plugin of Struts 2.x allows for deserialization without any type filtering, leading to Remote Code Execution.
The REST Plugin for Struts is only available with Struts 2.1.1 or later (reference link). Yellowfin does not use the vulnerable component or classes.
CVE-2017-12611 - Not Affected
Freemarker tags may be susceptible to RCE.
Yellowfin does not integrate freemarker tags into our Struts 1 framework, and therefor is not affected.
CVE-2018-11776 - Not Affected
This vulnerability is listed against Struts 2, 2.3.x before 2.3.35 and 2.5.x before 2.5.17. This is a Remote Code Execution (RCE) vulnerability when using the alwaysSelectFullNamespace flagged true and actions that are configured with no namespace or a wildcard namespace.
Struts 1 utilizes action mappings as opposed to the Struts 2 namespaces.