Security hole in org.apache.bval.util.MethodAccess.get()
--------------------------------------------------------
Key: BVAL-91
URL: https://issues.apache.org/jira/browse/BVAL-91
Project: BeanValidation
Issue Type: Bug
Affects Versions: 0.2-incubating, 0.3-incubating, 0.4-incubating
Reporter: Jörg Waßmer
Priority: Critical
MethodAccess.get() surrounds the call to Method.invoke() by a privileged
action. Thus the bean getter method will we executed with all the privileges of
the MethodAccess class, allowing application code to break out of its own
security domain.
Method.invoke() should be called without the privileged action.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
