You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by "Brian Demers (JIRA)" <ji...@apache.org> on 2017/02/13 18:53:41 UTC

[jira] [Resolved] (SHIRO-612) Need to upgrade BeanUtils to avoid vulnerability

     [ https://issues.apache.org/jira/browse/SHIRO-612?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Brian Demers resolved SHIRO-612.
--------------------------------
       Resolution: Duplicate
    Fix Version/s: 1.4.0-RC2

Please clarify, take a look at the pom listed below, it lists 1.9.3 as the {{beanutils}} version:

http://repo1.maven.org/maven2/org/apache/shiro/shiro-root/1.4.0-RC2/shiro-root-1.4.0-RC2.pom

Please comment or reopen if you I'm missing something.

> Need to upgrade BeanUtils to avoid vulnerability
> ------------------------------------------------
>
>                 Key: SHIRO-612
>                 URL: https://issues.apache.org/jira/browse/SHIRO-612
>             Project: Shiro
>          Issue Type: Bug
>    Affects Versions: 1.4.0-RC2
>            Reporter: David Dillard
>             Fix For: 1.4.0-RC2
>
>
> Currently, the POM specifies to use BeanUtils 1.8.3.  Unfortunately, this has a known vulnerability (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114) and there's a Metasploit module available to make exploitation easier.  This needs to be upgraded to the fixed version 1.9.3.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)