In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%[email protected]%3e
https://lists.debian.org/debian-lts-announce/2019/08/msg00030.html
https://lists.apache.org/thread.html/[email protected]%3Ccommits.tinkerpop.apache.org%3E
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00007.html
https://lists.apache.org/thread.html/[email protected]%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.commons.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.shiro.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.shiro.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.shiro.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.drill.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.shiro.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.shiro.apache.org%3E
https://access.redhat.com/errata/RHSA-2019:4317
https://access.redhat.com/errata/RHSA-2020:0057
https://www.oracle.com/security-alerts/cpujan2020.html
https://access.redhat.com/errata/RHSA-2020:0194
https://access.redhat.com/errata/RHSA-2020:0811
https://access.redhat.com/errata/RHSA-2020:0804
https://access.redhat.com/errata/RHSA-2020:0805
https://access.redhat.com/errata/RHSA-2020:0806
https://www.oracle.com/security-alerts/cpuapr2020.html
https://lists.apache.org/thread.html/[email protected]%3Cdev.brooklyn.apache.org%3E
https://www.oracle.com/security-alerts/cpujul2020.html
https://lists.apache.org/thread.html/[email protected]%3Cdev.atlas.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.atlas.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.atlas.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.atlas.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.atlas.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.atlas.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.atlas.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.atlas.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.rocketmq.apache.org%3E
https://www.oracle.com/security-alerts/cpujan2021.html
https://lists.apache.org/thread.html/[email protected]%3Ccommits.dolphinscheduler.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.dolphinscheduler.apache.org%3E
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com//security-alerts/cpujul2021.html
https://lists.apache.org/thread.html/[email protected]%3Cissues.nifi.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.nifi.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.nifi.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.nifi.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.nifi.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.nifi.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.nifi.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.nifi.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.nifi.apache.org%3E
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
Source: MITRE
Published: 2019-08-20
Updated: 2022-07-25
Type: CWE-502
Base Score: 7.5
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Impact Score: 6.4
Exploitability Score: 10
Severity: HIGH
Base Score: 7.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Impact Score: 3.4
Exploitability Score: 3.9
Severity: HIGH