Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.9.3
-
CVE-2014-0114
Description
https://nvd.nist.gov/vuln/detail/CVE-2014-0114
Due to the above CVE in 1.9.2 they added a Suppression but it is still being marked as a security risk through most major checks from OWASP and Sonatype IQ.
"commons-beanutils added a SuppressPropertiesBeanIntrospector which includes a specialized instance of itself as the SUPPRESS_CLASS constant beginning in version 1.9.2 that specifically suppresses the class property. However, this fix is not enabled by default."
For BeanUtils2 why not make this the default and have people "enable" it if it they want to get the feature.
Thanks for your consideration.
Attachments
Issue Links
- links to