marylinh / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

Need to update Apache Commons BeanUtils #340

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1.Look at POM
2.See the version is 1.8.3
3.Look at CVE-2014-0114 and see the description "Apache Commons BeanUtils, as 
distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 
1.3.10 and in other products requiring commons-beanutils through 1.9.2, does 
not suppress the class property, which allows remote attackers to "manipulate" 
the ClassLoader and execute arbitrary code via the class parameter, as 
demonstrated by the passing of this parameter to the getClass method of the 
ActionForm object in Struts 1."

What is the expected output? What do you see instead?
Output isn't the issue

What version of the product are you using? On what operating system?
2.1 (also looked at the trunk version which appears to be 2.1.1)

Does this issue affect only a specified browser or set of browsers?
No

Please provide any additional information below.
Need to update the version.  Also, need to add some extra code to deal with the 
issue.  See the INTRODUCTION section in the 1.9.2 release notes: 
http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES
.txt

Original issue reported on code.google.com by davidedi...@gmail.com on 4 Feb 2015 at 7:19