[
https://issues.apache.org/jira/browse/BEANUTILS-570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18066755#comment-18066755
]
Arnout Engelen commented on BEANUTILS-570:
------------------------------------------
"the vulnerability" is very vague, please be more precise in future reports.
I suspect you're referring to
https://issues.apache.org/jira/browse/COLLECTIONS-580, but that one was
actually already fixed in 3.3.2. Or are you referring to a different issue?
There is a more detailed write-up on the issue at
[https://commons.apache.org/proper/commons-collections//security.html] and
[https://news.apache.org/foundation/entry/apache_commons_statement_to_widespread].
Bottom-line: we don't consider this a 'vulnerability', but are interested in
reducing the risk of vulnerabilities elsewhere by hardening our components so
they cannot be used in such gadget chains.
Would releasing 2.0.0 as 'generally available' be a suitable solution in your
case?
> Vulnerability in commons-beanutils 1.9.4
> ----------------------------------------
>
> Key: BEANUTILS-570
> URL: https://issues.apache.org/jira/browse/BEANUTILS-570
> Project: Commons BeanUtils
> Issue Type: Bug
> Components: Bean-Collections
> Affects Versions: 1.9.4
> Reporter: Chirag Shah
> Priority: Major
> Fix For: 2.0.0-M2
>
>
> Commons BeanUtils uses Common Collection 3.3.2 library which has the
> vulnerability identified to it. The required fix requires to upgrade
> common-collection to 4.4 or above version. Common-BeanUtils 2.0.0 is already
> available but not release generally. Need help to release that library.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
