This is an automated email from the ASF dual-hosted git repository.
ggregory pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-beanutils.git
The following commit(s) were added to refs/heads/master by this push:
new d4ab75f9 Document release of CVE-2025-48734
d4ab75f9 is described below
commit d4ab75f9f1e81d7658052d23e580539233fae4fd
Author: Gary Gregory <garydgreg...@gmail.com>
AuthorDate: Wed May 28 10:00:48 2025 -0400
Document release of CVE-2025-48734
CVE-2025-48734: Apache Commons BeanUtils: PropertyUtilsBean does not
suppresses an enum's declaredClass property by default
(https://www.cve.org/CVERecord?id=CVE-2025-48734)
---
src/changes/changes.xml | 1 +
src/site/xdoc/security.xml | 22 ++++++++++++++++++++--
2 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 6469580f..aa77fda4 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -34,6 +34,7 @@
</release>
<release version="2.0.0-M2" date="2025-05-25" description="This is a major
release and requires Java 8.">
<!-- FIX -->
+ <action type="fix" dev="ggregory" due-to="Raj, Muthukumar Marikani, Gary
Gregory">CVE-2025-48734: Apache Commons BeanUtils: PropertyUtilsBean does not
suppresses an enum's declaredClass property by default
(https://www.cve.org/CVERecord?id=CVE-2025-48734).</action>
<action type="fix" dev="ggregory" due-to="Gary Gregory">Javadoc is
missing its Overview page.</action>
<action type="fix" dev="ggregory" due-to="Gary Gregory">Remove -nouses
directive from maven-bundle-plugin. OSGi package imports now state 'uses'
definitions for package imports, this doesn't affect JPMS (from
org.apache.commons:commons-parent:80).</action>
<action type="fix" dev="ggregory" due-to="Gary Gregory">The class
org.apache.commons.beanutils2.PropertyUtils is now final (the class only
contains static methods).</action>
diff --git a/src/site/xdoc/security.xml b/src/site/xdoc/security.xml
index 2d7cef19..abad0012 100644
--- a/src/site/xdoc/security.xml
+++ b/src/site/xdoc/security.xml
@@ -49,9 +49,7 @@
level property access by default, thus protecting against
CVE-2014-0114.
</li>
-
<li>Mitigation: 1.X users should migrate to 1.9.4.</li>
-
<li>Credit: This was discovered by Melloware
(https://melloware.com/).</li>
</ul>
<p>
@@ -95,6 +93,26 @@ public void testAllowAccessToClassProperty() throws
Exception {
<li>http://commons.apache.org/proper/commons-beanutils/</li>
</ol>
</subsection>
+ <subsection name="CVE-2025-48734">
+ <ul>
+ <li><a
href="https://www.cve.org/CVERecord?id=CVE-2025-48734";>CVE-2025-48734</a>:
Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's
declaredClass property by default</li>
+ <li>Severity: important</li>
+ <li>Affected versions: 1.x 1.0 before 1.11.0</li>
+ <li>Affected versions: 2.x 2.0.0-M1 before 2.0.0-M2</li>
+ <li>Description: Improper Access Control vulnerability in Apache
Commons.
+ A special BeanIntrospector class was added in version 1.9.2.
This can be used to stop attackers from using the declared class property of
Java enum objects to get access to the classloader. However this protection was
not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now
disallows declared class level property access by default.
+ Releases 1.11.0 and 2.0.0-M2 address a potential security issue
when accessing enum properties in an uncontrolled way. If an application using
Commons BeanUtils passes property paths from an external source directly to the
getProperty() method of PropertyUtilsBean, an attacker can access the enum’s
class loader via the “declaredClass” property available on all Java “enum”
objects. Accessing the enum’s “declaredClass” allows remote attackers to access
the ClassLoader and exe [...]
+ Starting in versions 1.11.0 and 2.0.0-M2 a special
BeanIntrospector suppresses the “declaredClass” property. Note that this new
BeanIntrospector is enabled by default, but you can disable it to regain the
old behavior; see section 2.5 of the user's guide and the unit tests.
+ This issue affects Apache Commons BeanUtils 1.x before 1.11.0,
and 2.x before 2.0.0-M2.
+ </li>
+ <li>Mitigation: Users of the artifact
commons-beanutils:commons-beanutils 1.x are recommended to upgrade to version
1.11.0, which fixes the issue.</li>
+ <li>Mitigation: Users of the artifact
org.apache.commons:commons-beanutils2 2.x are recommended to upgrade to version
2.0.0-M2, which fixes the issue.</li>
+ <li>Credit: Raj (mailto:denesh....@zohocorp.com) (reporter)</li>
+ <li>Credit: Muthukumar Marikani
(mailto:muthukumar.marik...@zohocorp.com) (finder)</li>
+ <li>Reference: https://commons.apache.org/</li>
+ <li>Reference: <a
href="https://www.cve.org/CVERecord?id=CVE-2025-48734";>CVE-2025-48734</a></li>
+ </ul>
+ </subsection>
</section>
</body>
</document>
