Wei-Chiu Chuang created HADOOP-16542: ----------------------------------------
Summary: Update commons-beanutils version Key: HADOOP-16542 URL: https://issues.apache.org/jira/browse/HADOOP-16542 Project: Hadoop Common Issue Type: Task Affects Versions: 3.3.0 Reporter: Wei-Chiu Chuang [http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cc628798f-315d-4428-8cb1-4ed1ecc95...@apache.org%3e] {quote} CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default. Severity: Medium Vendor: The Apache Software Foundation Versions Affected: commons-beanutils-1.9.3 and earlier Description: A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the class property of Java objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows class level property access by default, thus protecting against CVE-2014-0114. Mitigation: 1.X users should migrate to 1.9.4. {quote} -- This message was sent by Atlassian Jira (v8.3.2#803003) --------------------------------------------------------------------- To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-dev-h...@hadoop.apache.org