1

I recently came across a vulnerability which was caused by unsafe deserialization (Java) and the use of the Apache Commons library commons-beanutils. The ysoserial project references commons-beanutils 1.9.2, so I thought that there might be a later version with an improvement that breaks the gadget, similar to what was introduced in commons-collections version 3.2.2. But even in the latest version 1.9.4 the gadget works just perfectly, as everyone can confirm with a small example program.

Is there no fix?

kaidentity
  • 2,634
  • 13
  • 30
  • Most likely the developers of ysoserial project don't know about the vulnerability and thus don't update the dependencies. So you should better open an issue at the ysoserial project.. – Robert Jun 28 '22 at 12:54
  • ysoserial is the project that collects all gadgets, so by definition it contains references to vulnerable versions. And as I said, even the most recent version of the library is still vulnerable and I'd like to know if there is any information available why no one cares to fix this. – kaidentity Jun 29 '22 at 07:07
  • According to [mvnrepository.com](https://mvnrepository.com/artifact/commons-beanutils/commons-beanutils/1.9.4) commons-beanutils 1.9.4 does no has a vulnerability. But based on your question it is not clear about which CVE you are talking about, please edit your question and add the CVE number. If a software has a vulnerability there should be an issue or bug report where the history is documented, you should search for such an issue, may be it helps you to understand why there is no fix. – Robert Jun 29 '22 at 07:13
  • In the end I have to say I don't understand why you posted this question. Such a question is something you have to ask the developers of commons-beanutils. – Robert Jun 29 '22 at 07:13

0 Answers0