VulnerableCode Package Details - pkg:rpm/redhat/eap8-apache-commons-beanutils@1.11.0-1.redhat

Search for packages

Vulnerability	Summary	Fixed by
VCID-1j1w-c84m-b3h3 Aliases: CVE-2025-48734 GHSA-wxr5-93ph-8wr9	Apache Commons Improper Access Control vulnerability Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default. Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty(). Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests. This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils 1.x are recommended to upgrade to version 1.11.0, which fixes the issue. Users of the artifact org.apache.commons:commons-beanutils2 2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.	There are no reported fixed by versions.
VCID-7bzk-k461-g3dd Aliases: CVE-2025-2251	org.jboss.eap:wildfly-ejb3: Improper Deserialization in JBoss Marshalling Allows Remote Code Execution	There are no reported fixed by versions.
VCID-8ew2-s4a9-u7cu Aliases: CVE-2025-2901 GHSA-f7jh-m6wp-jm7f	HAL Cross Site Scripting (XSS) vulnerability of user input when storing it in a data store A flaw was found in the JBoss EAP Management Console, where a stored Cross-site scripting vulnerability occurs when an application improperly sanitizes user input before storing it in a data store. When this stored data is later included in web pages without adequate sanitization, malicious scripts can execute in the context of users who view these pages, leading to potential data theft, session hijacking, or other malicious activities. ### Impact Cross-site scripting (XSS) vulnerability in the management console. ### Patches Fixed in [HAL 3.7.11.Final](https://github.com/hal/console/releases/tag/v3.7.11) ### Workarounds No workaround available	There are no reported fixed by versions.
VCID-k7q1-8u4r-sqd7 Aliases: CVE-2025-27611 GHSA-xq7p-g2vc-g82p	Homograph attack allows Unicode lookalike characters to bypass validation. ### Impact Attackers can deceive users into sending funds to an unintended address. ### Patches https://github.com/cryptocoinjs/base-x/pull/86	There are no reported fixed by versions.
VCID-ytk3-rjrf-wfh9 Aliases: CVE-2025-23184 GHSA-fh5r-crhr-qrrq	Apache CXF: Denial of Service vulnerability with temporary files A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file system (it applies to servers and clients).	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-1j1w-c84m-b3h3
Aliases:
CVE-2025-48734
GHSA-wxr5-93ph-8wr9

Apache Commons Improper Access Control vulnerability Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default. Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty(). Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests. This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils 1.x are recommended to upgrade to version 1.11.0, which fixes the issue. Users of the artifact org.apache.commons:commons-beanutils2 2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.