Vulnerability reported in Apache Commons Beanutils (CVE-2019-10086) - Bloomreach Experience - Open Source CMS

Vulnerability reported in Apache Commons Beanutils (CVE-2019-10086) 

Issue date: 01-11-2019
Affects versions: 13.3, 13.2, 12.6, 11.2

Issue ID: SECURITY-125

 

Affected Product Version(s)
13.3.0, 13.2.2, 12.6.6, 11.2.15.1 (and previous patch releases)


Severity 

Medium


Description

A special BeanIntrospector class was added in version 1.9.2.
This can be used to stop attackers from using the class property of Java objects to get access to the classloader.
However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows class level property access by default, thus protecting against CVE-2014-0114.

Instructions

Every customer is advised to upgrade as soon as possible to the latest maintenance release as indicated above, or higher. This can be done by simply incrementing the version number of the parent POM for the implementation project.