[
https://issues.apache.org/jira/browse/VALIDATOR-460?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gary D. Gregory closed VALIDATOR-460.
-------------------------------------
Fix Version/s: 1.7
Resolution: Fixed
In git master.
> Update Apache Commons BeanUtils dependency from 1.9.3 to 1.9.4
> --------------------------------------------------------------
>
> Key: VALIDATOR-460
> URL: https://issues.apache.org/jira/browse/VALIDATOR-460
> Project: Commons Validator
> Issue Type: Improvement
> Affects Versions: 1.6
> Reporter: Gary D. Gregory
> Priority: Major
> Fix For: 1.7
>
>
> *CVE-2019-10086.* Apache Commons Beanutils does not suppresses the class
> property in bean introspection by default.
> From BeanUtils:
> {quote}The primary reason for this release is a bugfix for CVE-2014-0114.
> More specifically, our goal with BEANUTILS-520 is to set the default
> behaviour of the BeanUtilsBean to not allow class level access. The goal in
> doing this now is to bring 1.9.X into alignment with the same behaviour of
> the 2.X version line in regards to security. If one would like to opt out of
> the default behaviour, one could follow the example set out in the test class
> available in
> src/test/java/org/apache/commons/beanutils/bugs/Jira520TestCase.java.
> {quote}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
