漏洞信息
# Apache Commons BeanUtils:PropertyUtilsBean 默认不对枚举的 declaredClass 属性进行抑制
N/A
提示
尽管我们采用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's declaredClass property by default
漏洞描述信息
Improper Access Control vulnerability in Apache Commons.
A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default.
Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty().
Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests.
This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils
1.x are recommended to upgrade to version 1.11.0, which fixes the issue.
Users of the artifact org.apache.commons:commons-beanutils2
2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.
CVSS信息
N/A
漏洞类别
访问控制不恰当
漏洞标题
Apache Commons 安全漏洞
漏洞描述信息
Apache Commons是美国阿帕奇(Apache)基金会的一个专注于可重用 Java 组件各个方面的 Apache 项目。 Apache Commons存在安全漏洞,该漏洞源于访问控制不当,可能导致攻击者通过枚举对象的declaredClass属性访问类加载器并执行任意代码。
CVSS信息
N/A
漏洞类别
其他