DescriptionApache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-57-1, DSA-2940-1
Debian Bugs745897

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
commons-beanutils (PTS)buster1.9.3-1fixed
bookworm, bullseye1.9.4-1fixed
sid, trixie1.9.4-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

[wheezy] - commons-beanutils <no-dsa> (Too intrusive to backport; might break existing apps)
[squeeze] - commons-beanutils <no-dsa> (Too intrusive to backport; might break existing apps)

Search for package or bug name: Reporting problems