shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Demers (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SHIRO-619) Used Limited access BeanUtilsBean
Date Tue, 28 Mar 2017 18:34:41 GMT

    [ https://issues.apache.org/jira/browse/SHIRO-619?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15945691#comment-15945691
] 

Brian Demers commented on SHIRO-619:
------------------------------------

Thanks [~YauheniSidarenka]
PR [#40 | https://github.com/apache/shiro/pull/60] should address your concern, though the
usage of BeanUtils in Shiro only happens at configuration (application boot up) time.

In the future, please bring up any CVE / security issues to the private lists first security@shiro.apache.org
or security@apache.org.
For more info see: https://www.apache.org/security/

> Used Limited access BeanUtilsBean
> ---------------------------------
>
>                 Key: SHIRO-619
>                 URL: https://issues.apache.org/jira/browse/SHIRO-619
>             Project: Shiro
>          Issue Type: Bug
>    Affects Versions: 1.3.2, 1.4.0-RC2
>            Reporter: Yauheni Sidarenka
>
> This issue stems from https://issues.apache.org/jira/browse/SHIRO-576.
> In my humble opinion, it is not enough just to set the version of commons-beanutils to
1.9.2 or to 1.9.3 in order to fix CVE-2014-0114 vulnerability because mentioned versions *DO
NOT* fix it by default. In contrast, the fix should be applied explicitly by beanutils-consuming
applications (see INTRODUCTION section in http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt).
> So, if Shiro uses _BeanUtilsBean_ somehow and is vulnerable to mentioned CVE, it would
be worth to configure _BeanUtilsBean_ as it is recommended in beanutils' release notes.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message