BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Path to dependency file: struts-2.3.20/bundles/admin/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.0/commons-beanutils-1.8.0.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.0/commons-beanutils-1.8.0.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.0/commons-beanutils-1.8.0.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.0/commons-beanutils-1.8.0.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.0/commons-beanutils-1.8.0.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.0/commons-beanutils-1.8.0.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.0/commons-beanutils-1.8.0.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.0/commons-beanutils-1.8.0.jar
Path to dependency file: struts-2.3.20/bundles/demo/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
Fix Resolution: Replace or update the following files: Jira520TestCase.java, BeanIntrospectionDataTestCase.java, PropertyUtilsBean.java, changes.xml, Jira157TestCase.java, pom.xml
CVE-2019-10086 - High Severity Vulnerability
Vulnerable Libraries - commons-beanutils-1.8.0.jar, commons-beanutils-1.7.0.jar
commons-beanutils-1.8.0.jar
BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Path to dependency file: struts-2.3.20/bundles/admin/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.0/commons-beanutils-1.8.0.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.0/commons-beanutils-1.8.0.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.0/commons-beanutils-1.8.0.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.0/commons-beanutils-1.8.0.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.0/commons-beanutils-1.8.0.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.0/commons-beanutils-1.8.0.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.0/commons-beanutils-1.8.0.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.0/commons-beanutils-1.8.0.jar
Dependency Hierarchy: - tiles-core-2.0.6.jar (Root Library) - commons-digester-2.0.jar - :x: **commons-beanutils-1.8.0.jar** (Vulnerable Library)
commons-beanutils-1.7.0.jar
Path to dependency file: struts-2.3.20/bundles/demo/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar
Dependency Hierarchy: - velocity-tools-1.3.jar (Root Library) - :x: **commons-beanutils-1.7.0.jar** (Vulnerable Library)
Found in HEAD commit: 0bfc3664462638feef3ae03ae4fd6b8d4a8388cd
Vulnerability Details
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
Publish Date: 2019-08-20
URL: CVE-2019-10086
CVSS 2 Score Details (7.5)
Base Score Metrics not available
Suggested Fix
Type: Change files
Origin: https://github.com/apache/commons-beanutils/commit/62e82ad92cf4818709d6044aaf257b73d42659a4
Release Date: 2019-06-06
Fix Resolution: Replace or update the following files: Jira520TestCase.java, BeanIntrospectionDataTestCase.java, PropertyUtilsBean.java, changes.xml, Jira157TestCase.java, pom.xml