#1106746 commons-beanutils: CVE-2025-48734

Package:
src:commons-beanutils
Source:
src:commons-beanutils
Submitter:
Salvatore Bonaccorso
Date:
2025-08-22 15:43:02 UTC
Severity:
normal
Tags:
#1106746#5
Date:
2025-05-29 05:04:54 UTC
From:
To:
Hi,

The following vulnerability was published for commons-beanutils.

CVE-2025-48734[0]:
| Improper Access Control vulnerability in Apache Commons.    A
| special BeanIntrospector class was added in version 1.9.2. This can
| be used to stop attackers from using the declared class property of
| Java enum objects to get access to the classloader. However this
| protection was not enabled by default. PropertyUtilsBean (and
| consequently BeanUtilsBean) now disallows declared class level
| property access by default.      Releases 1.11.0 and 2.0.0-M2
| address a potential security issue when accessing enum properties in
| an uncontrolled way. If an application using Commons BeanUtils
| passes property paths from an external source directly to the
| getProperty() method of PropertyUtilsBean, an attacker can access
| the enum’s class loader via the “declaredClass” property available
| on all Java “enum” objects. Accessing the enum’s “declaredClass”
| allows remote attackers to access the ClassLoader and execute
| arbitrary code. The same issue exists with
| PropertyUtilsBean.getNestedProperty(). Starting in versions 1.11.0
| and 2.0.0-M2 a special BeanIntrospector suppresses the
| “declaredClass” property. Note that this new BeanIntrospector is
| enabled by default, but you can disable it to regain the old
| behavior; see section 2.5 of the user's guide and the unit tests.
| This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and
| 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-
| beanutils   1.x are recommended to upgrade to version 1.11.0, which
| fixes the issue.   Users of the artifact org.apache.commons:commons-
| beanutils2   2.x are recommended to upgrade to version 2.0.0-M2,
| which fixes the issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-48734
https://www.cve.org/CVERecord?id=CVE-2025-48734
[1] https://www.openwall.com/lists/oss-security/2025/05/28/6
[2] https://dlcdn.apache.org/commons/beanutils/RELEASE-NOTES.txt

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

#1106746#12
Date:
2025-07-18 12:21:26 UTC
From:
To:
Dear maintainer,

I've prepared an NMU for commons-beanutils (versioned as 1.10.1-1.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it.

cu
Adrian

#1106746#21
Date:
2025-07-20 12:34:02 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
commons-beanutils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1106746@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk <bunk@debian.org> (supplier of updated commons-beanutils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 17 Jul 2025 16:01:37 +0300
Source: commons-beanutils
Architecture: source
Version: 1.10.1-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Adrian Bunk <bunk@debian.org>
Closes: 1106746
Changes:
 commons-beanutils (1.10.1-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * CVE-2025-48734: Improper access control (Closes: #1106746)
Checksums-Sha1:
 845141308e08e84b6185687e8167d839b09dde03 2317 commons-beanutils_1.10.1-1.1.dsc
 8f4ed8b96e9fda0245821b79458333d25ce6b734 6604 commons-beanutils_1.10.1-1.1.debian.tar.xz
Checksums-Sha256:
 cc17bae208c3d9afb9fc0e0462e9a6519c2fcd65c6b952fb33b009b34b1c3ec5 2317 commons-beanutils_1.10.1-1.1.dsc
 e8cee3e829e61f19a0b389efea35db1866f3a912553b3351632cd522c1cb2e07 6604 commons-beanutils_1.10.1-1.1.debian.tar.xz
Files:
 3089bec5d615a000d9d24cb4467234c9 2317 java optional commons-beanutils_1.10.1-1.1.dsc
 9d66bc5aa90bb15c37922090e85e692d 6604 java optional commons-beanutils_1.10.1-1.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmh6OU4ACgkQiNJCh6LY
mLGkVxAArgcDMMbvtsQwnK4NAWdy2JUCo+kxolPhtSoM7KcybM0DtASsHncSScPN
kOCDV/2+UQUMXvn9RjklfN/H64vbc7kOzCQ8uIoWIZYqlWrIWWjhj5Tl/h3TMJbm
+RW8KKXzmVHEJafaW1MSHoQGZJn+V9HmZAYQtfqSpvDugJUzLhZV1JP6+cylE9DH
Xfitbqrbf2zPQqG1DbtGBdabb4r3mI2t39ZhUVA+Zfx5IUD7/rsu/9rUybt4zgkT
E63j8yL21DDIduqAjG2ggikM3zgYpB1Lk0ANL9wUWSTf6WM9ykYIcGE4cDIoMrLn
8BgObTwYcMeRkjWCjnA3bvyAQOdgBphzZkBfssEYrrqMbZrYENy+oQ2PvSaND2sn
KTDrHHHem+HU3wFduKDfw3wh6s0iDi99g6AlEDp9GlKmTFu7zAFVot1WzAJtU+V6
3ZC+MV3NcQi/5RUA7ktWAAuzyZ3WelgLrP/hQP6lILGLdRbFhNsWKf/kxpFayu6s
sjXBuiaha4KF4tvfh8QqBP+bX8MtwoDUJfzWM0RWwRI5xmczd4eql9LC+NwSFwJD
FCOTbk9ToLk7rmioCnoShL/+TuN67epw1xFMtsrX56h7jpnFSd8e0xbdaLmDieQw
AIxJBFox53sV3HQYc72Sc8bxHnEQGyf4CD5SPah5SQAIFODRxTM=
=Fxk+
-----END PGP SIGNATURE-----