David Camilo Espitia Manrique created LANG-1079:
---------------------------------------------------
Summary: BUG -Use of Externally-Controlled Input to Select Classes
or Code ('Unsafe Reflection') ClassUtils
Key: LANG-1079
URL: https://issues.apache.org/jira/browse/LANG-1079
Project: Commons Lang
Issue Type: Bug
Components: lang.*
Affects Versions: 3.x
Reporter: David Camilo Espitia Manrique
Priority: Minor
Fix For: 3.x
we are currently using "commons-lang3-3.0" and in the analysis of veracode
found this bug in "ClassUtils line 792":
Description:
A call uses reflection in an unsafe manner. An attacker can specify the class
name to be instantiated, which may
create unexpected control flow paths through the application. Depending on how
reflection is being used, the attack
vector may allow the attacker to bypass security checks or otherwise cause the
application to behave in an unexpected
manner. Even if the object does not implement the specified interface and a
ClassCastException is thrown, the
constructor of the user-supplied class name will have already executed.
Recommendations:
Validate the class name against a combination of white and black lists to
ensure that only expected behavior is
produced.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
