Source: commons-beanutils Version: 1.10.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for commons-beanutils. CVE-2025-48734[0]: | Improper Access Control vulnerability in Apache Commons. A | special BeanIntrospector class was added in version 1.9.2. This can | be used to stop attackers from using the declared class property of | Java enum objects to get access to the classloader. However this | protection was not enabled by default. PropertyUtilsBean (and | consequently BeanUtilsBean) now disallows declared class level | property access by default. Releases 1.11.0 and 2.0.0-M2 | address a potential security issue when accessing enum properties in | an uncontrolled way. If an application using Commons BeanUtils | passes property paths from an external source directly to the | getProperty() method of PropertyUtilsBean, an attacker can access | the enum’s class loader via the “declaredClass” property available | on all Java “enum” objects. Accessing the enum’s “declaredClass” | allows remote attackers to access the ClassLoader and execute | arbitrary code. The same issue exists with | PropertyUtilsBean.getNestedProperty(). Starting in versions 1.11.0 | and 2.0.0-M2 a special BeanIntrospector suppresses the | “declaredClass” property. Note that this new BeanIntrospector is | enabled by default, but you can disable it to regain the old | behavior; see section 2.5 of the user's guide and the unit tests. | This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and | 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons- | beanutils 1.x are recommended to upgrade to version 1.11.0, which | fixes the issue. Users of the artifact org.apache.commons:commons- | beanutils2 2.x are recommended to upgrade to version 2.0.0-M2, | which fixes the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-48734 https://www.cve.org/CVERecord?id=CVE-2025-48734 [1] https://www.openwall.com/lists/oss-security/2025/05/28/6 [2] https://dlcdn.apache.org/commons/beanutils/RELEASE-NOTES.txt Please adjust the affected versions in the BTS as needed. Regards, Salvatore
