[jira] [Commented] (SHIRO-619) Used Limited access BeanUtilsBean

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[jira] [Commented] (SHIRO-619) Used Limited access BeanUtilsBean

JIRA jira@apache.org

    [ https://issues.apache.org/jira/browse/SHIRO-619?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15946702#comment-15946702 ]

Yauheni Sidarenka commented on SHIRO-619:

Thank you [~bdemers] for your effort and for your notice about security lists. I just thought it is unnecessary to use private security list as far as the issue is disclosed by SHIRO-576. By the way, will this PR be backported to 1.3.x branch?

> Used Limited access BeanUtilsBean
> ---------------------------------
>                 Key: SHIRO-619
>                 URL: https://issues.apache.org/jira/browse/SHIRO-619
>             Project: Shiro
>          Issue Type: Bug
>    Affects Versions: 1.3.2, 1.4.0-RC2
>            Reporter: Yauheni Sidarenka
> This issue stems from https://issues.apache.org/jira/browse/SHIRO-576.
> In my humble opinion, it is not enough just to set the version of commons-beanutils to 1.9.2 or to 1.9.3 in order to fix CVE-2014-0114 vulnerability because mentioned versions *DO NOT* fix it by default. In contrast, the fix should be applied explicitly by beanutils-consuming applications (see INTRODUCTION section in http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt).
> So, if Shiro uses _BeanUtilsBean_ somehow and is vulnerable to mentioned CVE, it would be worth to configure _BeanUtilsBean_ as it is recommended in beanutils' release notes.

This message was sent by Atlassian JIRA