| Package | commons-beanutils |
|---|---|
| Version | 1.9.3-1+deb10u1 (buster) |
| Related CVEs | CVE-2019-10086 |
Arbitrary code execution was possible by default in Apache Commons BeanUtils, Java classes for working with JavaBeans classes.
If needed, users can restore the previous default with
final BeanUtilsBean bub = new BeanUtilsBean();
bub.getPropertyUtils().removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
For Debian 10 buster, these problems have been fixed in version 1.9.3-1+deb10u1.
We recommend that you upgrade your commons-beanutils packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.