shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Demers (JIRA)" <>
Subject [jira] [Commented] (SHIRO-619) Used Limited access BeanUtilsBean
Date Wed, 29 Mar 2017 13:54:41 GMT


Brian Demers commented on SHIRO-619:

You can bring the topic up on the list,  Though, the work around for
1.3 could be just to configure the static instance of BeanUtilsBean when your application
starts up.

> Used Limited access BeanUtilsBean
> ---------------------------------
>                 Key: SHIRO-619
>                 URL:
>             Project: Shiro
>          Issue Type: Bug
>    Affects Versions: 1.3.2, 1.4.0-RC2
>            Reporter: Yauheni Sidarenka
> This issue stems from
> In my humble opinion, it is not enough just to set the version of commons-beanutils to
1.9.2 or to 1.9.3 in order to fix CVE-2014-0114 vulnerability because mentioned versions *DO
NOT* fix it by default. In contrast, the fix should be applied explicitly by beanutils-consuming
applications (see INTRODUCTION section in
> So, if Shiro uses _BeanUtilsBean_ somehow and is vulnerable to mentioned CVE, it would
be worth to configure _BeanUtilsBean_ as it is recommended in beanutils' release notes.

This message was sent by Atlassian JIRA

View raw message