[
https://issues.apache.org/jira/browse/VELTOOLS-183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16913259#comment-16913259
]
ajbanck commented on VELTOOLS-183:
----------------------------------
I am sorry, I pasted in the wrong CVE number. This is about CVE-2019-10086
fixed in beanutils 1.9.4*.*
The issue is on trunk using beanutils 1.9.3 (having the vulnerability), this
vulnerability was resolved in beanutils 1.9.4
[http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%[email protected]%3e]
With beanutils 1.9.4 the access to class is suppressed by default
> beanutils 1.9.4 breaks velocity-tools
> -------------------------------------
>
> Key: VELTOOLS-183
> URL: https://issues.apache.org/jira/browse/VELTOOLS-183
> Project: Velocity Tools
> Issue Type: Bug
> Reporter: ajbanck
> Priority: Major
>
> beanutils 1.9.4 was release to mitigate CVE-2019-10086. For this the
> *default* behaviour of the BeanUtilsBean was changed to not allow class level
> access, see BEANUTILS-520.
> When using velocity-tools in a project that manages/enforces beanutils to
> version 1.9.4 velocity-tools stops working as expected. This is easily
> demonstrated with the unittests.
> Running the velocity-tools unit tests will fail on ConfigTests.testXmlConfig
> # In velocity-tools-generic/pom.xml update commons-beanutils to 1.9.4
> # run mvn verify
> Result
> {noformat}
> [ERROR]
> testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
> Time elapsed: 0.007 s <<< ERROR!
> [ERROR]testPropsPlusXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
> Time elapsed: 0.007 s <<< ERROR!
> org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose
> class is 'null'
> at
> org.apache.velocity.tools.test.whitebox.ConfigTests.assertConfigEquals(ConfigTests.java:428)
> at
> org.apache.velocity.tools.test.whitebox.ConfigTests.testPropsPlusXmlConfig(ConfigTests.java:120)
> [ERROR] testXmlConfig(org.apache.velocity.tools.test.whitebox.ConfigTests)
> Time elapsed: 0.003 s <<< FAILURE!
> java.lang.AssertionError:
> **** Unexpected Invalid Configuration ****
> FactoryConfiguration from 2 sources including 1 data with 2 toolboxes:
> Toolbox 'application' with 1 properties [scope -auto-> application; ] and 2
> tools:
> Tool 'null' => null with 1 properties [locale -auto-> fr; ]
> Tool 'calc' => null with 1 properties [key -auto-> calc; ]{noformat}
>
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
