Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') via the getProperty and getNestedProperty methods of the PropertyUtilsBean class. An attacker can execute arbitrary code by accessing the declaredClass property of Java enum objects, which allows access to the ClassLoader.
Note:
The BeanIntrospector class that can mitigate this vulnerability was added in version 1.9.2 but its usage was not enabled by default.
Remediation
Upgrade commons-beanutils:commons-beanutils to version 1.11.0 or higher.