[
https://issues.apache.org/jira/browse/SHIRO-619?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15947162#comment-15947162
]
Brian Demers commented on SHIRO-619:
------------------------------------
You can bring the topic up on the dev@shiro.apache.org list, Though, the work
around for 1.3 could be just to configure the static instance of BeanUtilsBean
when your application starts up.
> Used Limited access BeanUtilsBean
> ---------------------------------
>
> Key: SHIRO-619
> URL: https://issues.apache.org/jira/browse/SHIRO-619
> Project: Shiro
> Issue Type: Bug
> Affects Versions: 1.3.2, 1.4.0-RC2
> Reporter: Yauheni Sidarenka
>
> This issue stems from https://issues.apache.org/jira/browse/SHIRO-576.
> In my humble opinion, it is not enough just to set the version of
> commons-beanutils to 1.9.2 or to 1.9.3 in order to fix CVE-2014-0114
> vulnerability because mentioned versions *DO NOT* fix it by default. In
> contrast, the fix should be applied explicitly by beanutils-consuming
> applications (see INTRODUCTION section in
> http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt).
> So, if Shiro uses _BeanUtilsBean_ somehow and is vulnerable to mentioned CVE,
> it would be worth to configure _BeanUtilsBean_ as it is recommended in
> beanutils' release notes.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
