Yauheni Sidarenka created SHIRO-619:
---------------------------------------
Summary: CVE-2014-0114 needs to be addressed properly if it is
possible
Key: SHIRO-619
URL: https://issues.apache.org/jira/browse/SHIRO-619
Project: Shiro
Issue Type: Bug
Affects Versions: 1.4.0-RC2, 1.3.2
Reporter: Yauheni Sidarenka
This issue stems from https://issues.apache.org/jira/browse/SHIRO-576.
In my humble opinion, it is not enough just to set the version of
commons-beanutils to 1.9.2 or to 1.9.3 in order to fix CVE-2014-0114
vulnerability because mentioned versions *DO NOT* fix it by default. In
contrast, the fix should be applied explicitly by beanutils-consuming
applications (see INTRODUCTION section in
http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt).
So, if Shiro uses _BeanUtilsBean_ somehow and is vulnerable to mentioned CVE,
it would be worth to configure _BeanUtilsBean_ as it is recommended in
beanutils' release notes.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
