Vulnerability reported in Apache Commons Beanutils (CVE-2019-10086)
Issue date: 01-11-2019Affects versions: 13.3, 13.2, 12.6, 11.2
Issue ID: SECURITY-125
Affected Product Version(s)
13.3.0, 13.2.2, 12.6.6, 11.2.15.1 (and previous patch releases)
Severity
Medium
Description
A special BeanIntrospector class was added in version 1.9.2.
This can be used to stop attackers from using the class property of Java objects to get access to the classloader.
However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows class level property access by default, thus protecting against CVE-2014-0114.
Instructions
Every customer is advised to upgrade as soon as possible to the latest maintenance release as indicated above, or higher. This can be done by simply incrementing the version number of the parent POM for the implementation project.