Hello, any plans to release version 2.0.0 final? Cheers,
Rico > On 28 May 2025, at 15:26, Gary D. Gregory <ggreg...@apache.org> wrote: > > Severity: important > > Affected versions: > > - Apache Commons BeanUtils 1.x 1.0 before 1.11.0 > - Apache Commons BeanUtils 2.x 2.0.0-M1 before 2.0.0-M2 > > Description: > > Improper Access Control vulnerability in Apache Commons. > > > > A special BeanIntrospector class was added in version 1.9.2. This can be used > to stop attackers from using the declared class property of Java enum objects > to get access to the classloader. However this protection was not enabled by > default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows > declared class level property access by default. > > > > > > Releases 1.11.0 and 2.0.0-M2 address a potential security issue when > accessing enum properties in an uncontrolled way. If an application using > Commons BeanUtils passes property paths from an external source directly to > the getProperty() method of PropertyUtilsBean, an attacker can access the > enum’s class loader via the “declaredClass” property available on all Java > “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers > to access the ClassLoader and execute arbitrary code. The same issue exists > with PropertyUtilsBean.getNestedProperty(). > Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector > suppresses the “declaredClass” property. Note that this new BeanIntrospector > is enabled by default, but you can disable it to regain the old behavior; see > section 2.5 of the user's guide and the unit tests. > > This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before > 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils > > 1.x are recommended to upgrade to version 1.11.0, which fixes the issue. > > > Users of the artifact org.apache.commons:commons-beanutils2 > > 2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue. > > Credit: > > Raj (mailto:denesh....@zohocorp.com) (reporter) > Muthukumar Marikani (mailto:muthukumar.marik...@zohocorp.com) (finder) > > References: > > https://commons.apache.org/ > https://www.cve.org/CVERecord?id=CVE-2025-48734 > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@commons.apache.org > For additional commands, e-mail: user-h...@commons.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@commons.apache.org For additional commands, e-mail: user-h...@commons.apache.org
