[
https://issues.apache.org/jira/browse/VALIDATOR-357?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14280685#comment-14280685
]
Sebb commented on VALIDATOR-357:
--------------------------------
Currently the only references to BeanUtils are to PropertyUtils
Field: calls PropertyUtils.getProperty(bean, this.getIndexedListProperty());
twice
ValidatorUtils: public static String getValueAsString(Object bean, String
property)
PropertyUtils.getProperty(bean, property);
> Upgrade BeanUtils
> -----------------
>
> Key: VALIDATOR-357
> URL: https://issues.apache.org/jira/browse/VALIDATOR-357
> Project: Commons Validator
> Issue Type: New Feature
> Components: Framework
> Affects Versions: 1.1.3 Release, 1.2.0 Release, 1.3.0 Release, 1.3.1
> Release, 1.4.0 Release, 1.4.1 Release
> Reporter: David Dillard
> Priority: Minor
> Fix For: 1.5.0
>
>
> Validator 1.41 depends on BeanUtils 1.8.3. This has a "potential security
> issue", see
> http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt
> Also, see http://www.cvedetails.com/cve-details.php?t=1&cve_id=cve-2014-0114
> Even if this issue doesn't affect Validator, BeanUtils should be upgraded so
> that issue issue doesn't affect other users of BeanUtils given the screwy way
> some builders (e.g. Maven) resolve conflicting dependencies.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
