Vulnerabilities

 1 via 2 paths

Dependencies

 57

Source

 GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 1
  • 1
Severity
  • 2
Status
  • 2
  • 0
  • 0

high severity

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

  • Vulnerable module: commons-beanutils:commons-beanutils
  • Introduced through: org.apache.velocity.tools:velocity-tools-generic@3.1

Detailed paths

  • Introduced through: openmrs/openmrs-core@openmrs/openmrs-core org.apache.velocity.tools:velocity-tools-generic@3.1 commons-beanutils:commons-beanutils@1.9.4
  • Introduced through: openmrs/openmrs-core@openmrs/openmrs-core org.apache.velocity.tools:velocity-tools-generic@3.1 org.apache.commons:commons-digester3@3.2 commons-beanutils:commons-beanutils@1.9.4

Overview

commons-beanutils:commons-beanutils is a provides an easy-to-use but flexible wrapper around reflection and introspection.

Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') via the getProperty and getNestedProperty methods of the PropertyUtilsBean class. An attacker can execute arbitrary code by accessing the declaredClass property of Java enum objects, which allows access to the ClassLoader.

Note:

The BeanIntrospector class that can mitigate this vulnerability was added in version 1.9.2 but its usage was not enabled by default.

Remediation

Upgrade commons-beanutils:commons-beanutils to version 1.11.0 or higher.

References

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability report

high severity
new

GPL-2.0 license

  • Module: jakarta.servlet.jsp:jakarta.servlet.jsp-api
  • Introduced through: jakarta.servlet.jsp:jakarta.servlet.jsp-api@4.1.0-M1

Detailed paths

  • Introduced through: openmrs/openmrs-core@openmrs/openmrs-core jakarta.servlet.jsp:jakarta.servlet.jsp-api@4.1.0-M1

GPL-2.0 license

GPL-2.0 license vulnerability report