At a guess (I don't know), it's because by default commons-beanutils behaviour is unchanged. It's necessary to use a custom inspector that ignores the class property - i.e. it's necessary for callers of the library to do the right thing.
Greg On Fri, 24 Aug 2018 at 01:11, Grimmett, Tim@FTB <tim.grimm...@ftb.ca.gov> wrote: > Any Idea why the following vulnerability has not been updated to reflect > what version the fix was in? > Looks like in "BEANUTILS-463" Apache says it was fixed in 1.9.2, but the > CVE on the National Vulnerability Database (NVD) does not reflect that. > https://issues.apache.org/jira/browse/BEANUTILS-463 > > > commons-beanutils : 1.9.2 > CVE-2014-0114< > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114>, > commons-beanutils through 1.9.2 does not suppress the class property, which > allows remote attackers to "manipulate" the ClassLoader and execute > arbitrary code via the class parameter, as demonstrated by the passing of > this parameter to the get Class method. > > Just wondering, > > Tim Grimmett > Information Security Oversight Unit (ISOU)-AppSec Team > Privacy, Security and Disclosure Bureau (PSDB) > Franchise Tax Board > (916) 845-4537 > > Secure coding is about increasing the complexity > demanded for an attack to succeed. > > ______________________________________________________________________ > CONFIDENTIALITY NOTICE: This email from the State of California is for the > sole use of the intended recipient and may contain confidential and > privileged information. Any unauthorized review or use, including > disclosure or distribution, is prohibited. If you are not the intended > recipient, please contact the sender and destroy all copies of this email. >
