esapi-java-legacy icon indicating copy to clipboard operation
esapi-java-legacy copied to clipboard
verified publisher icon ESAPI

Upgrade Apache Commons BeanUtils to get rid of commons-collections 3.x

Open jn-pt opened this issue 3 months ago • 0 comments

Hi,

The ESAPI library still depends on Commons Collections 3.x, which contains a known vulnerability. Apache Commons Collections is a transitive dependency of Apache Commons BeanUtils. BeanUtils itself has been updated to use Commons Collections 4.x starting with BeanUtils version 2.

Is there any plan to update the BeanUtils version used in ESAPI?

Vulnerability reported by Sonatype:

https://devhub.checkmarx.com/cve-details/Cx78f40514-81ff/

Explanation: The Apache commons-collections packages are vulnerable to a Denial of Service (DoS) attack. The add() method of the SetUniqueList class mishandles the order of operations when invoking its parent List implementation. Consequently, adding an instance of itself results in infinite recursion and deviates from the behavior defined by the standard JRE List contract. A remote attacker who can cause an application to add SetUniqueList instances to themselves can exploit this vulnerability to crash the affected application with a StackOverflowError exception. Detection: The application is vulnerable by using this component. Recommendation: We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Note for commons-collections:commons-collections users: The component and its vulnerable classes were relocated (moved) to org.apache.commons:commons-collections4 in later versions. As such, users should upgrade to a fixed version of commons-collections4 instead. Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control. Threat Vectors: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Full Sonatype Scan Report Issue sonatype-2024-3350 Source Sonatype Data Research SONATYPE Policy Name Security-High SONATYPE Threat Level 7 CVE CWE 674 CWE URL https://cwe.mitre.org/data/definitions/674.html CVE CVSS 3.0 Not Set CVE CVSS 2.0 Not Set SONATYPE CVSS 3.0 Not Set Remediation No recommended versions are available for the current component.

jn-pt avatar Oct 15 '25 21:10 jn-pt