[
https://issues.apache.org/jira/browse/BEANUTILS-520?focusedWorklogId=249302&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-249302
]
ASF GitHub Bot logged work on BEANUTILS-520:
--------------------------------------------
Author: ASF GitHub Bot
Created on: 28/May/19 12:31
Start Date: 28/May/19 12:31
Worklog Time Spent: 10m
Work Description: garydgregory commented on pull request #7:
BEANUTILS-520: Mitigate CVE-2014-0114 by enabling SuppressPropertiesB…
URL: https://github.com/apache/commons-beanutils/pull/7
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 249302)
Time Spent: 20m (was: 10m)
> BeanUtils2 mitigate CVE-2014-0114
> ---------------------------------
>
> Key: BEANUTILS-520
> URL: https://issues.apache.org/jira/browse/BEANUTILS-520
> Project: Commons BeanUtils
> Issue Type: Improvement
> Components: Bean / Property Utils
> Affects Versions: 1.9.3
> Reporter: Melloware
> Priority: Major
> Labels: security
> Fix For: 2.0.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> https://nvd.nist.gov/vuln/detail/CVE-2014-0114
> Due to the above CVE in 1.9.2 they added a Suppression but it is still being
> marked as a security risk through most major checks from OWASP and Sonatype
> IQ.
> "commons-beanutils added a SuppressPropertiesBeanIntrospector which includes
> a specialized instance of itself as the SUPPRESS_CLASS constant beginning in
> version 1.9.2 that specifically suppresses the class property. +However, this
> fix is not enabled by default.+"
> For BeanUtils2 why not make this the default and have people "enable" it if
> it they want to get the feature.
> Thanks for your consideration.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
