Wei-Chiu Chuang created HADOOP-16542:
----------------------------------------

             Summary: Update commons-beanutils version
                 Key: HADOOP-16542
                 URL: https://issues.apache.org/jira/browse/HADOOP-16542
             Project: Hadoop Common
          Issue Type: Task
    Affects Versions: 3.3.0
            Reporter: Wei-Chiu Chuang


[http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cc628798f-315d-4428-8cb1-4ed1ecc95...@apache.org%3e]

 {quote}
CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property 
in PropertyUtilsBean
by default.

Severity: Medium

Vendor: The Apache Software Foundation

Versions Affected: commons-beanutils-1.9.3 and earlier

Description: A special BeanIntrospector class was added in version 1.9.2.
This can be used to stop attackers from using the class property of
Java objects to get access to the classloader.
However this protection was not enabled by default.
PropertyUtilsBean (and consequently BeanUtilsBean) now disallows class
level property access by default, thus protecting against
CVE-2014-0114.

Mitigation: 1.X users should migrate to 1.9.4.
{quote}



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org

Reply via email to