Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
1.3.10
-
None
-
None
-
any
-
Patch, Important
Description
Current implentation in RequestUtils.populate(Object bean, String prefix, String suffix, HttpServletRequest request) allows an attacker to manipulate any settable classloader properties along the classloader hierachy. For example, an attacker can send such parameters, e.g. class.classLoader.delegateMode=true/false, to turn on/off the delegationMode of the classloader which can cause an DOS effect on the application. To prevent this from happening, any parameters with "class.classLoader" pattern should be excluded from the binding properties created in the current method.