What steps will reproduce the problem?
1.Look at POM
2.See the version is 1.8.3
3.Look at CVE-2014-0114 and see the description "Apache Commons BeanUtils, as
distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through
1.3.10 and in other products requiring commons-beanutils through 1.9.2, does
not suppress the class property, which allows remote attackers to "manipulate"
the ClassLoader and execute arbitrary code via the class parameter, as
demonstrated by the passing of this parameter to the getClass method of the
ActionForm object in Struts 1."
What is the expected output? What do you see instead?
Output isn't the issue
What version of the product are you using? On what operating system?
2.1 (also looked at the trunk version which appears to be 2.1.1)
Does this issue affect only a specified browser or set of browsers?
No
Please provide any additional information below.
Need to update the version. Also, need to add some extra code to deal with the
issue. See the INTRODUCTION section in the 1.9.2 release notes:
http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES
.txt
Original issue reported on code.google.com by davidedi...@gmail.com on 4 Feb 2015 at 7:19
Original issue reported on code.google.com by
davidedi...@gmail.comon 4 Feb 2015 at 7:19