Apache Commons BeanUtils does not properly suppress the class property, which could lead to the remote execution of arbitrary code.
Package | dev-java/commons-beanutils on all architectures |
---|---|
Affected versions | < 1.9.2 |
Unaffected versions | >= 1.9.2 |
Commons-beanutils provides easy-to-use wrappers around Reflection and Introspection APIs
Apache Commons BeanUtils does not suppress the class property, which allows for the manipulation of the ClassLoader.
Remote attackers could potentially execute arbitrary code with the privileges of the process.
There is no known workaround at this time.
All Commons BeanUtils users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-java/commons-beanutils-1.9.2"
Release date
July 20, 2016
Latest revision
July 20, 2016: 1
Severity
normal
Exploitable
remote
Bugzilla entries