[jira] [Updated] (VALIDATOR-460) Update Apache Commons BeanUtils dependency from 1.9.3 to 1.9.4

Mon, 14 Oct 2019 17:49:00 -0700 


     [ 
https://issues.apache.org/jira/browse/VALIDATOR-460?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Gary D. Gregory updated VALIDATOR-460:
--------------------------------------
    Description: 
*CVE-2019-10086.* Apache Commons Beanutils does not suppresses the class 
property in bean introspection by default.

>From BeanUtils:
{quote}The primary reason for this release is a bugfix for CVE-2014-0114. More 
specifically, our goal with BEANUTILS-520 is to set the default behaviour of 
the BeanUtilsBean to not allow class level access. The goal in doing this now 
is to bring 1.9.X into alignment with the same behaviour of the 2.X version 
line in regards to security. If one would like to opt out of the default 
behaviour, one could follow the example set out in the test class available in 
src/test/java/org/apache/commons/beanutils/bugs/Jira520TestCase.java.
{quote}

  was:
*CVE-2019-10086.* Apache Commons Beanutils does not suppresses the class 
property in bean introspection by default.

 


> Update Apache Commons BeanUtils dependency from 1.9.3 to 1.9.4
> --------------------------------------------------------------
>
>                 Key: VALIDATOR-460
>                 URL: https://issues.apache.org/jira/browse/VALIDATOR-460
>             Project: Commons Validator
>          Issue Type: Improvement
>    Affects Versions: 1.6
>            Reporter: Gary D. Gregory
>            Priority: Major
>
> *CVE-2019-10086.* Apache Commons Beanutils does not suppresses the class 
> property in bean introspection by default.
> From BeanUtils:
> {quote}The primary reason for this release is a bugfix for CVE-2014-0114. 
> More specifically, our goal with BEANUTILS-520 is to set the default 
> behaviour of the BeanUtilsBean to not allow class level access. The goal in 
> doing this now is to bring 1.9.X into alignment with the same behaviour of 
> the 2.X version line in regards to security. If one would like to opt out of 
> the default behaviour, one could follow the example set out in the test class 
> available in 
> src/test/java/org/apache/commons/beanutils/bugs/Jira520TestCase.java.
> {quote}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to