- Package:
- src:commons-beanutils
- Source:
- src:commons-beanutils
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2025-08-22 15:43:02 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for commons-beanutils. CVE-2025-48734[0]: | Improper Access Control vulnerability in Apache Commons. A | special BeanIntrospector class was added in version 1.9.2. This can | be used to stop attackers from using the declared class property of | Java enum objects to get access to the classloader. However this | protection was not enabled by default. PropertyUtilsBean (and | consequently BeanUtilsBean) now disallows declared class level | property access by default. Releases 1.11.0 and 2.0.0-M2 | address a potential security issue when accessing enum properties in | an uncontrolled way. If an application using Commons BeanUtils | passes property paths from an external source directly to the | getProperty() method of PropertyUtilsBean, an attacker can access | the enum’s class loader via the “declaredClass” property available | on all Java “enum” objects. Accessing the enum’s “declaredClass” | allows remote attackers to access the ClassLoader and execute | arbitrary code. The same issue exists with | PropertyUtilsBean.getNestedProperty(). Starting in versions 1.11.0 | and 2.0.0-M2 a special BeanIntrospector suppresses the | “declaredClass” property. Note that this new BeanIntrospector is | enabled by default, but you can disable it to regain the old | behavior; see section 2.5 of the user's guide and the unit tests. | This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and | 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons- | beanutils 1.x are recommended to upgrade to version 1.11.0, which | fixes the issue. Users of the artifact org.apache.commons:commons- | beanutils2 2.x are recommended to upgrade to version 2.0.0-M2, | which fixes the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-48734 https://www.cve.org/CVERecord?id=CVE-2025-48734 [1] https://www.openwall.com/lists/oss-security/2025/05/28/6 [2] https://dlcdn.apache.org/commons/beanutils/RELEASE-NOTES.txt Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Dear maintainer, I've prepared an NMU for commons-beanutils (versioned as 1.10.1-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it. cu Adrian
We believe that the bug you reported is fixed in the latest version of commons-beanutils, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1106746@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Adrian Bunk <bunk@debian.org> (supplier of updated commons-beanutils package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Thu, 17 Jul 2025 16:01:37 +0300 Source: commons-beanutils Architecture: source Version: 1.10.1-1.1 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Adrian Bunk <bunk@debian.org> Closes: 1106746 Changes: commons-beanutils (1.10.1-1.1) unstable; urgency=medium . * Non-maintainer upload. * CVE-2025-48734: Improper access control (Closes: #1106746) Checksums-Sha1: 845141308e08e84b6185687e8167d839b09dde03 2317 commons-beanutils_1.10.1-1.1.dsc 8f4ed8b96e9fda0245821b79458333d25ce6b734 6604 commons-beanutils_1.10.1-1.1.debian.tar.xz Checksums-Sha256: cc17bae208c3d9afb9fc0e0462e9a6519c2fcd65c6b952fb33b009b34b1c3ec5 2317 commons-beanutils_1.10.1-1.1.dsc e8cee3e829e61f19a0b389efea35db1866f3a912553b3351632cd522c1cb2e07 6604 commons-beanutils_1.10.1-1.1.debian.tar.xz Files: 3089bec5d615a000d9d24cb4467234c9 2317 java optional commons-beanutils_1.10.1-1.1.dsc 9d66bc5aa90bb15c37922090e85e692d 6604 java optional commons-beanutils_1.10.1-1.1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmh6OU4ACgkQiNJCh6LY mLGkVxAArgcDMMbvtsQwnK4NAWdy2JUCo+kxolPhtSoM7KcybM0DtASsHncSScPN kOCDV/2+UQUMXvn9RjklfN/H64vbc7kOzCQ8uIoWIZYqlWrIWWjhj5Tl/h3TMJbm +RW8KKXzmVHEJafaW1MSHoQGZJn+V9HmZAYQtfqSpvDugJUzLhZV1JP6+cylE9DH Xfitbqrbf2zPQqG1DbtGBdabb4r3mI2t39ZhUVA+Zfx5IUD7/rsu/9rUybt4zgkT E63j8yL21DDIduqAjG2ggikM3zgYpB1Lk0ANL9wUWSTf6WM9ykYIcGE4cDIoMrLn 8BgObTwYcMeRkjWCjnA3bvyAQOdgBphzZkBfssEYrrqMbZrYENy+oQ2PvSaND2sn KTDrHHHem+HU3wFduKDfw3wh6s0iDi99g6AlEDp9GlKmTFu7zAFVot1WzAJtU+V6 3ZC+MV3NcQi/5RUA7ktWAAuzyZ3WelgLrP/hQP6lILGLdRbFhNsWKf/kxpFayu6s sjXBuiaha4KF4tvfh8QqBP+bX8MtwoDUJfzWM0RWwRI5xmczd4eql9LC+NwSFwJD FCOTbk9ToLk7rmioCnoShL/+TuN67epw1xFMtsrX56h7jpnFSd8e0xbdaLmDieQw AIxJBFox53sV3HQYc72Sc8bxHnEQGyf4CD5SPah5SQAIFODRxTM= =Fxk+ -----END PGP SIGNATURE-----