[GHSA-qw4h-3xjj-84cc] Apache Tiles: Unvalidated input may lead to path traversal and XXE

[ryanmurf]

Updates

• Affected products

Comments
I submitted this before as #6311 and it was closed. I'm going to give some more context and am asking for another review.

Apache-Tiles originally Struts-Tiles see here was split from the struts source code at at version 2. The first release of Apache-Tiles started at version 2 see here.

Here is a link to tiles and tiles2 in the apache struts1 source code

• https://github.com/apache/struts1/tree/trunk/tiles
• https://github.com/apache/struts1/tree/trunk/tiles2

Here is a link talking about the file name changes in Apache-Tiles vs Struts-Tiles

• https://github.com/apache/tiles/blob/2601bcd2d8c7c5f1dde663830093c426ffff3da4/src/site/apt/migration/extension.apt#L75

The file I marked in the link above is here in struts1

• https://github.com/apache/struts1/blob/trunk/tiles/src/main/java/org/apache/struts/tiles/xmlDefinition/I18nFactorySet.java

Tiles is included in Struts 1. This CVE also impacts tiles in the struts1 packages.

Struts 1 the groupId was struts from 1.1 to 1.2.9 then was changed to org.apache.struts in >=1.3 to the last release 1.3.10. Tiles was included in struts:stuts 1.1-1.2.9 and in struts 1 >=1.3 was moved to org.apache.struts:struts-tiles.

[Copilot]

Pull Request Overview

This PR adds a new security advisory for Apache Tiles (CVE-2023-49735) that addresses path traversal and XXE vulnerabilities. The advisory expands coverage beyond the original Apache Tiles packages to include affected Struts 1 packages that historically included Tiles functionality.

• Creates a new JSON advisory file documenting the vulnerability
• Includes multiple affected package ranges covering Apache Tiles, Struts Tiles, and legacy Struts packages
• Documents severity, references, and CWE classifications for the security issue

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}