tracker issue : CF-4206998

select a category, or use search below
(searches all categories and all time range)
Title:

Apache Commons Beanutils needs updating to address CVE-2019-10086

| View in Tracker

Status/Resolution/Reason: To Fix//BugVerified

Reporter/Name(from Bugbase): Mike C. / ()

Created: 02/10/2020

Components: Security

Versions: 2016,2018

Failure Type:

Found In Build/Fixed In Build: 13 /

Priority/Frequency: Normal /

Locale/System: / Platforms All

Vote Count: 0

Problem Description:
Security vulderablity with common-beanutils
Per CVE- In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.

https://www.itsecdb.com/oval/definition/oval/com.redhat.rhsa/def/20200194/RHSA-2020-0194-apache-commons-beanutils-security-update-Im.html

Steps to Reproduce:

Actual Result:

Expected Result:
ColdFusion should update the JAR file to version 194 to address the CVE
Any Workarounds:

Attachments:

Comments: