2018-08-23 22:35:39 UTC
Looks like in "BEANUTILS-463" Apache says it was fixed in 1.9.2, but the CVE on the National Vulnerability Database (NVD) does not reflect that.
commons-beanutils : 1.9.2
CVE-2014-0114<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114>, commons-beanutils through 1.9.2 does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the get Class method.
Information Security Oversight Unit (ISOU)-AppSec Team
Privacy, Security and Disclosure Bureau (PSDB)
Franchise Tax Board
Secure coding is about increasing the complexity
demanded for an attack to succeed.
CONFIDENTIALITY NOTICE: This email from the State of California is for the sole use of the intended recipient and may contain confidential and privileged information. Any unauthorized review or use, including disclosure or distribution, is prohibited. If you are not the intended recipient, please contact the sender and destroy all copies of this email.