[jira] [Created] (HDDS-13287) Upgrade Commons BeanUtils to 1.11.0 due to CVE-2025-48734

Tue, 17 Jun 2025 01:24:19 -0700 

Rohit Kumar created HDDS-13287:
----------------------------------

             Summary: Upgrade Commons BeanUtils to 1.11.0 due to CVE-2025-48734
                 Key: HDDS-13287
                 URL: https://issues.apache.org/jira/browse/HDDS-13287
             Project: Apache Ozone
          Issue Type: Task
            Reporter: Rohit Kumar


h2. Description
 
 
*CVE-2025-48734:*
Improper Access Control vulnerability in Apache Commons. A special 
BeanIntrospector class was added in version 1.9.2. This can be used to stop 
attackers from using the declared class property of Java enum objects to get 
access to the classloader. However this protection was not enabled by default. 
PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class 
level property access by default. Releases 1.11.0 and 2.0.0-M2 address a 
potential security issue when accessing enum properties in an uncontrolled way. 
If an application using Commons BeanUtils passes property paths from an 
external source directly to the getProperty() method of PropertyUtilsBean, an 
attacker can access the enum’s class loader via the “declaredClass” property 
available on all Java “enum” objects. Accessing the enum’s “declaredClass” 
allows remote attackers to access the ClassLoader and execute arbitrary code. 
The same issue exists with PropertyUtilsBean.getNestedProperty(). Starting in 
versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the 
“declaredClass” property. Note that this new BeanIntrospector is enabled by 
default, but you can disable it to regain the old behavior; see section 2.5 of 
the user's guide and the unit tests. This issue affects Apache Commons 
BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact 
commons-beanutils:commons-beanutils 1.x are recommended to upgrade to version 
1.11.0, which fixes the issue. Users of the artifact 
org.apache.commons:commons-beanutils2 2.x are recommended to upgrade to version 
2.0.0-M2, which fixes the issue.

[https://nvd.nist.gov/vuln/detail/CVE-2025-48734] 

Base Score: 8.8 HIGH



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to