You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Gary D. Gregory (Jira)" <ji...@apache.org> on 2019/10/15 00:51:00 UTC
[jira] [Closed] (VALIDATOR-460) Update Apache Commons BeanUtils
dependency from 1.9.3 to 1.9.4
[ https://issues.apache.org/jira/browse/VALIDATOR-460?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gary D. Gregory closed VALIDATOR-460.
-------------------------------------
Fix Version/s: 1.7
Resolution: Fixed
In git master.
> Update Apache Commons BeanUtils dependency from 1.9.3 to 1.9.4
> --------------------------------------------------------------
>
> Key: VALIDATOR-460
> URL: https://issues.apache.org/jira/browse/VALIDATOR-460
> Project: Commons Validator
> Issue Type: Improvement
> Affects Versions: 1.6
> Reporter: Gary D. Gregory
> Priority: Major
> Fix For: 1.7
>
>
> *CVE-2019-10086.* Apache Commons Beanutils does not suppresses the class property in bean introspection by default.
> From BeanUtils:
> {quote}The primary reason for this release is a bugfix for CVE-2014-0114. More specifically, our goal with BEANUTILS-520 is to set the default behaviour of the BeanUtilsBean to not allow class level access. The goal in doing this now is to bring 1.9.X into alignment with the same behaviour of the 2.X version line in regards to security. If one would like to opt out of the default behaviour, one could follow the example set out in the test class available in src/test/java/org/apache/commons/beanutils/bugs/Jira520TestCase.java.
> {quote}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)