Homepage
About Snyk

commons-beanutils:commons-beanutils@1.8.1 vulnerabilities

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the commons-beanutils:commons-beanutils package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Arbitrary Code Execution

commons-beanutils:commons-beanutils provides an easy-to-use but flexible wrapper around reflection and introspection.

Affected versions of this package are vulnerable to Arbitrary Code Execution. It does not suppress the class property, which allows remote attackers to manipulate the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Note: In version 1.9.2 now a special BeanIntrospector class was added which allows suppressing this property. Note that this BeanIntrospector is NOT enabled by default! Commons BeanUtils is a low-level library, and on this layer it cannot be decided whether access to a certain property is legal or not. Therefore, an application has to activate this suppressing BeanIntrospector explicitly.

How to fix Arbitrary Code Execution?

Upgrade commons-beanutils:commons-beanutils to version 1.9.2 or higher.

[1.8.0,1.9.2)
Go back to all versions of this package