Описание
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
A flaw was found in the Apache Commons BeanUtils, where the class property in PropertyUtilsBean is not suppressed by default. This flaw allows an attacker to access the classloader.
Меры по смягчению последствий
There is no currently known mitigation for this flaw.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat AMQ Broker 7 | commons-beanutils | Affected | ||
| Red Hat BPM Suite 6 | commons-beanutils | Out of support scope | ||
| Red Hat CodeReady Studio 12 | commons-beanutils | Not affected | ||
| Red Hat Enterprise Linux 5 | jakarta-commons-beanutils | Out of support scope | ||
| Red Hat Enterprise Linux 6 | jakarta-commons-beanutils | Out of support scope | ||
| Red Hat JBoss A-MQ 6 | commons-beanutils | Affected | ||
| Red Hat JBoss BRMS 5 | commons-beanutils | Out of support scope | ||
| Red Hat JBoss Data Virtualization 6 | commons-binutils | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 5 | commons-beanutils | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 6 | commons-beanutils | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
7.3 High
CVSS3
Связанные уязвимости
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class wa ...
EPSS
7.3 High
CVSS3