Uploaded image for project: 'Commons Validator'
  1. Commons Validator
  2. VALIDATOR-460

Update Apache Commons BeanUtils dependency from 1.9.3 to 1.9.4

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.6
    • 1.7
    • None
    • None

    Description

      CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in bean introspection by default.

      From BeanUtils:

      The primary reason for this release is a bugfix for CVE-2014-0114. More specifically, our goal with BEANUTILS-520 is to set the default behaviour of the BeanUtilsBean to not allow class level access. The goal in doing this now is to bring 1.9.X into alignment with the same behaviour of the 2.X version line in regards to security. If one would like to opt out of the default behaviour, one could follow the example set out in the test class available in src/test/java/org/apache/commons/beanutils/bugs/Jira520TestCase.java.

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. VALIDATOR-458 commons-beanutils version 1.9.2 is having vulnerabilities upgrade it to the latest one

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Unassigned Unassigned
              ggregory Gary D. Gregory
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: