Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-619

Used Limited access BeanUtilsBean

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.3.2, 1.4.0-RC2
    • None
    • None
    • None

    Description

      This issue stems from https://issues.apache.org/jira/browse/SHIRO-576.

      In my humble opinion, it is not enough just to set the version of commons-beanutils to 1.9.2 or to 1.9.3 in order to fix CVE-2014-0114 vulnerability because mentioned versions DO NOT fix it by default. In contrast, the fix should be applied explicitly by beanutils-consuming applications (see INTRODUCTION section in http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt).

      So, if Shiro uses BeanUtilsBean somehow and is vulnerable to mentioned CVE, it would be worth to configure BeanUtilsBean as it is recommended in beanutils' release notes.

      Attachments

        Activity

          People

            Unassigned Unassigned
            YauheniSidarenka Yauheni Sidarenka
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: