Vulnerability reported in Apache Commons Beanutils (CVE-2019-10086) 

Issue date: 01-11-2019
Affects versions: 13.3, 13.2, 12.6, 11.2

Issue ID: SECURITY-125


Affected Product Version(s)
13.3.0, 13.2.2, 12.6.6, (and previous patch releases)




A special BeanIntrospector class was added in version 1.9.2.
This can be used to stop attackers from using the class property of Java objects to get access to the classloader.
However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows class level property access by default, thus protecting against CVE-2014-0114.


Every customer is advised to upgrade as soon as possible to the latest maintenance release as indicated above, or higher. This can be done by simply incrementing the version number of the parent POM for the implementation project.