[
https://issues.apache.org/jira/browse/SOLR-9153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16021751#comment-16021751
]
Hrishikesh Gadre commented on SOLR-9153:
----------------------------------------
[~mdrob] What's your take on this? Should we commit this change?
> Update beanutils version to 1.9.2
> ---------------------------------
>
> Key: SOLR-9153
> URL: https://issues.apache.org/jira/browse/SOLR-9153
> Project: Solr
> Issue Type: Bug
> Components: contrib - Velocity
> Affects Versions: 6.0
> Reporter: Mike Drob
> Priority: Minor
> Attachments: SOLR-9153.patch
>
>
> See CVE-2014-0114 --
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
> {quote}
> Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar
> in Apache Struts 1.x through 1.3.10 and in other products requiring
> commons-beanutils through 1.9.2, does not suppress the class property, which
> allows remote attackers to "manipulate" the ClassLoader and execute arbitrary
> code via the class parameter, as demonstrated by the passing of this
> parameter to the getClass method of the ActionForm object in Struts 1.
> {quote}
> We transitively depend on BeanUtils through Velocity, but it doesn't look
> like there is much movement on the project there. See BEANUTILS-463 and
> VELTOOLS-170
> Also, this might have impact on SOLR-3736 but that issue also looks largely
> abandoned.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
