Uploaded image for project: 'Commons BeanUtils'
  1. Commons BeanUtils
  2. BEANUTILS-520

Mitigate CVE-2014-0114

Agile BoardAttach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    Description

      https://nvd.nist.gov/vuln/detail/CVE-2014-0114

      Due to the above CVE in 1.9.2 they added a Suppression but it is still being marked as a security risk through most major checks from OWASP and Sonatype IQ.

      "commons-beanutils added a SuppressPropertiesBeanIntrospector which includes a specialized instance of itself as the SUPPRESS_CLASS constant beginning in version 1.9.2 that specifically suppresses the class property. However, this fix is not enabled by default."

      For BeanUtils2 why not make this the default and have people "enable" it if it they want to get the feature.

      Thanks for your consideration.

      Attachments

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            chtompki Rob Tompkins
            melloware Melloware
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - Not Specified
              Not Specified
              Remaining:
              Remaining Estimate - 0h
              0h
              Logged:
              Time Spent - 20m
              20m

              Slack

                Issue deployment