Any Idea why the following vulnerability has not been updated to reflect what version the fix was in? Looks like in "BEANUTILS-463" Apache says it was fixed in 1.9.2, but the CVE on the National Vulnerability Database (NVD) does not reflect that. https://issues.apache.org/jira/browse/BEANUTILS-463
commons-beanutils : 1.9.2 CVE-2014-0114<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114>, commons-beanutils through 1.9.2 does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the get Class method. Just wondering, Tim Grimmett Information Security Oversight Unit (ISOU)-AppSec Team Privacy, Security and Disclosure Bureau (PSDB) Franchise Tax Board (916) 845-4537 Secure coding is about increasing the complexity demanded for an attack to succeed. ______________________________________________________________________ CONFIDENTIALITY NOTICE: This email from the State of California is for the sole use of the intended recipient and may contain confidential and privileged information. Any unauthorized review or use, including disclosure or distribution, is prohibited. If you are not the intended recipient, please contact the sender and destroy all copies of this email.
