About Security

For information about reporting or asking questions about security, please see Apache Commons Security .

This page lists all security vulnerabilities fixed in released versions of this component.

Please note that binary patches are never provided. If you need to apply a source code patch, use the building instructions for the component version that you are using.

If you need help on building this component or other help on following the instructions to mitigate the known vulnerabilities listed here, please send your questions to the public user mailing list .

If you have encountered an unlisted security vulnerability or other unexpected behavior that has security impact, or if the descriptions here are incomplete, please report them privately to the Apache Security Team. Thank you.

Security Vulnerabilities

CVE-2019-10086

CVE-2019-10086: Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default.
Severity: Medium
Vendor: The Apache Software Foundation
Versions Affected: commons-beanutils-1.9.3 and earlier
Description: A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the class property of Java objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows class level property access by default, thus protecting against CVE-2014-0114.
Mitigation: 1.X users should migrate to 1.9.4.
Credit: This was discovered by Melloware (https://melloware.com/).

Example:

/**
 * Example displaying the new default behavior such that
 * it is not possible to access class level properties utilizing the
 * BeanUtilsBean, which in turn utilizes the PropertyUtilsBean.
 */
public void testSuppressClassPropertyByDefault() throws Exception {
    final BeanUtilsBean bub = new BeanUtilsBean();
    final AlphaBean bean = new AlphaBean();
    try {
        bub.getProperty(bean, "class");
        fail("Could access class property!");
    } catch (final NoSuchMethodException ex) {
        // ok
    }
}

/**
 * Example showing how by which one would use to revert to the 
 * behaviour prior to the 1.9.4 release where class level properties were accessible by
 * the BeanUtilsBean and the PropertyUtilsBean.
 */
public void testAllowAccessToClassProperty() throws Exception {
    final BeanUtilsBean bub = new BeanUtilsBean();
    bub.getPropertyUtils().removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
    final AlphaBean bean = new AlphaBean();
    String result = bub.getProperty(bean, "class");
    assertEquals("Class property should have been accessed", "class org.apache.commons.beanutils2.AlphaBean", result);
}

References:

https://issues.apache.org/jira/browse/BEANUTILS-520
http://commons.apache.org/proper/commons-beanutils/