You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
<!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding
3
+
copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may
4
+
obtain a copy of the License at https://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed
5
+
on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the
<p>This page lists all security vulnerabilities fixed in released versions of this component.
20
+
<p>This page lists all security vulnerabilities fixed in released versions of this component.
34
21
</p>
35
22
<p>Please note that binary patches are never provided. If you need to apply a source code patch, use the building instructions for the component version
36
-
that you are using.
23
+
that you are using.
37
24
</p>
38
25
<p>
39
26
If you need help on building this component or other help on following the instructions to mitigate the known vulnerabilities listed here, please send
40
-
your questions to the public
41
-
<ahref="mail-lists.html">user mailing list</a>.
27
+
your questions to the
28
+
public
29
+
<ahref="mail-lists.html">user mailing list</a>
30
+
.
42
31
</p>
43
32
<p>If you have encountered an unlisted security vulnerability or other unexpected behavior that has security impact, or if the descriptions here are
44
-
incomplete, please report them privately to the Apache Security Team. Thank you.
33
+
incomplete, please report
34
+
them privately to the Apache Security Team. Thank you.
45
35
</p>
46
36
</section>
47
37
<sectionname="Security Vulnerabilities">
48
-
<p>None.</p>
38
+
<subsectionname="CVE-2019-10086">
39
+
<ul>
40
+
<li>CVE-2019-10086: Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default.</li>
41
+
<li>Severity: Medium</li>
42
+
<li>Vendor: The Apache Software Foundation</li>
43
+
<li>Versions Affected: commons-beanutils-1.9.3 and earlier</li>
44
+
<li>Description: A special BeanIntrospector class was added in version 1.9.2.
45
+
This can be used to stop attackers from using the class property of
46
+
Java objects to get access to the classloader.
47
+
However this protection was not enabled by default.
48
+
PropertyUtilsBean (and consequently BeanUtilsBean) now disallows class
49
+
level property access by default, thus protecting against
50
+
CVE-2014-0114.
51
+
</li>
52
+
53
+
<li>Mitigation: 1.X users should migrate to 1.9.4.</li>
54
+
55
+
<li>Credit: This was discovered by Melloware (https://melloware.com/).</li>
56
+
</ul>
57
+
<p>
58
+
Example:
59
+
</p>
60
+
<pre>
61
+
/**
62
+
* Example displaying the new default behavior such that
63
+
* it is not possible to access class level properties utilizing the
64
+
* BeanUtilsBean, which in turn utilizes the PropertyUtilsBean.
65
+
*/
66
+
public void testSuppressClassPropertyByDefault() throws Exception {
67
+
final BeanUtilsBean bub = new BeanUtilsBean();
68
+
final AlphaBean bean = new AlphaBean();
69
+
try {
70
+
bub.getProperty(bean, "class");
71
+
fail("Could access class property!");
72
+
} catch (final NoSuchMethodException ex) {
73
+
// ok
74
+
}
75
+
}
76
+
77
+
/**
78
+
* Example showing how by which one would use to revert to the
79
+
* behaviour prior to the 1.9.4 release where class level properties were accessible by
80
+
* the BeanUtilsBean and the PropertyUtilsBean.
81
+
*/
82
+
public void testAllowAccessToClassProperty() throws Exception {
0 commit comments