vulnerability
Alma Linux: CVE-2025-48734: Important: apache-commons-beanutils security update (Multiple Advisories)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:L/Au:S/C:C/I:C/A:C) | May 28, 2025 | Jul 4, 2025 | Nov 13, 2025 |
Severity
9
CVSS
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
Published
May 28, 2025
Added
Jul 4, 2025
Modified
Nov 13, 2025
Description
Improper Access Control vulnerability in Apache Commons.
A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default.
Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty().
Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests.
This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils
1.x are recommended to upgrade to version 1.11.0, which fixes the issue.
Users of the artifact org.apache.commons:commons-beanutils2
2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.
Solutions
alma-upgrade-antalma-upgrade-ant-antlralma-upgrade-ant-apache-bcelalma-upgrade-ant-apache-bsfalma-upgrade-ant-apache-log4jalma-upgrade-ant-apache-oroalma-upgrade-ant-apache-regexpalma-upgrade-ant-apache-resolveralma-upgrade-ant-apache-xalan2alma-upgrade-ant-commons-loggingalma-upgrade-ant-commons-netalma-upgrade-ant-contribalma-upgrade-ant-contrib-javadocalma-upgrade-ant-javadocalma-upgrade-ant-javamailalma-upgrade-ant-jdependalma-upgrade-ant-jmfalma-upgrade-ant-jschalma-upgrade-ant-junitalma-upgrade-ant-libalma-upgrade-ant-manualalma-upgrade-ant-swingalma-upgrade-ant-testutilalma-upgrade-ant-xzalma-upgrade-antlr-c++alma-upgrade-antlr-javadocalma-upgrade-antlr-manualalma-upgrade-antlr-toolalma-upgrade-aopalliancealma-upgrade-aopalliance-javadocalma-upgrade-apache-commons-beanutilsalma-upgrade-apache-commons-beanutils-javadocalma-upgrade-apache-commons-clialma-upgrade-apache-commons-cli-javadocalma-upgrade-apache-commons-codecalma-upgrade-apache-commons-codec-javadocalma-upgrade-apache-commons-collectionsalma-upgrade-apache-commons-collections-javadocalma-upgrade-apache-commons-collections-testframeworkalma-upgrade-apache-commons-compressalma-upgrade-apache-commons-compress-javadocalma-upgrade-apache-commons-execalma-upgrade-apache-commons-exec-javadocalma-upgrade-apache-commons-ioalma-upgrade-apache-commons-io-javadocalma-upgrade-apache-commons-jxpathalma-upgrade-apache-commons-jxpath-javadocalma-upgrade-apache-commons-langalma-upgrade-apache-commons-lang-javadocalma-upgrade-apache-commons-lang3alma-upgrade-apache-commons-lang3-javadocalma-upgrade-apache-commons-loggingalma-upgrade-apache-commons-logging-javadocalma-upgrade-apache-commons-netalma-upgrade-apache-commons-net-javadocalma-upgrade-apache-commons-parentalma-upgrade-apache-ivyalma-upgrade-apache-ivy-javadocalma-upgrade-apache-parentalma-upgrade-apache-resource-bundlesalma-upgrade-aqute-bndalma-upgrade-aqute-bnd-javadocalma-upgrade-aqute-bndlibalma-upgrade-assertj-corealma-upgrade-assertj-core-javadocalma-upgrade-atinjectalma-upgrade-atinject-javadocalma-upgrade-atinject-tckalma-upgrade-bcelalma-upgrade-bcel-javadocalma-upgrade-beust-jcommanderalma-upgrade-beust-jcommander-javadocalma-upgrade-bnd-maven-pluginalma-upgrade-bsfalma-upgrade-bsf-javadocalma-upgrade-bshalma-upgrade-bsh-javadocalma-upgrade-bsh-manualalma-upgrade-byaccjalma-upgrade-cal10nalma-upgrade-cal10n-javadocalma-upgrade-cdi-apialma-upgrade-cdi-api-javadocalma-upgrade-cglibalma-upgrade-cglib-javadocalma-upgrade-easymockalma-upgrade-easymock-javadocalma-upgrade-exec-maven-pluginalma-upgrade-exec-maven-plugin-javadocalma-upgrade-felix-osgi-compendiumalma-upgrade-felix-osgi-compendium-javadocalma-upgrade-felix-osgi-corealma-upgrade-felix-osgi-core-javadocalma-upgrade-felix-osgi-foundationalma-upgrade-felix-osgi-foundation-javadocalma-upgrade-felix-parentalma-upgrade-felix-utilsalma-upgrade-felix-utils-javadocalma-upgrade-forge-parentalma-upgrade-fusesource-pomalma-upgrade-geronimo-annotationalma-upgrade-geronimo-annotation-javadocalma-upgrade-geronimo-jmsalma-upgrade-geronimo-jms-javadocalma-upgrade-geronimo-jpaalma-upgrade-geronimo-jpa-javadocalma-upgrade-geronimo-parent-pomsalma-upgrade-glassfish-annotation-apialma-upgrade-glassfish-annotation-api-javadocalma-upgrade-glassfish-elalma-upgrade-glassfish-el-apialma-upgrade-glassfish-el-javadocalma-upgrade-glassfish-jsp-apialma-upgrade-glassfish-jsp-api-javadocalma-upgrade-glassfish-legalalma-upgrade-glassfish-master-pomalma-upgrade-glassfish-servlet-apialma-upgrade-glassfish-servlet-api-javadocalma-upgrade-google-guicealma-upgrade-google-guice-javadocalma-upgrade-guava20alma-upgrade-guava20-javadocalma-upgrade-guava20-testlibalma-upgrade-guice-assistedinjectalma-upgrade-guice-bomalma-upgrade-guice-extensionsalma-upgrade-guice-grapheralma-upgrade-guice-jmxalma-upgrade-guice-jndialma-upgrade-guice-multibindingsalma-upgrade-guice-parentalma-upgrade-guice-servletalma-upgrade-guice-testlibalma-upgrade-guice-throwingprovidersalma-upgrade-hamcrestalma-upgrade-hamcrest-corealma-upgrade-hamcrest-demoalma-upgrade-hamcrest-javadocalma-upgrade-hawtjnialma-upgrade-hawtjni-javadocalma-upgrade-hawtjni-runtimealma-upgrade-httpcomponents-clientalma-upgrade-httpcomponents-client-cachealma-upgrade-httpcomponents-client-javadocalma-upgrade-httpcomponents-corealma-upgrade-httpcomponents-core-javadocalma-upgrade-httpcomponents-projectalma-upgrade-isorelaxalma-upgrade-isorelax-javadocalma-upgrade-ivy-localalma-upgrade-jakarta-commons-httpclientalma-upgrade-jakarta-commons-httpclient-demoalma-upgrade-jakarta-commons-httpclient-javadocalma-upgrade-jakarta-commons-httpclient-manualalma-upgrade-jakarta-oroalma-upgrade-jakarta-oro-javadocalma-upgrade-jansialma-upgrade-jansi-javadocalma-upgrade-jansi-nativealma-upgrade-jansi-native-javadocalma-upgrade-java_cupalma-upgrade-java_cup-javadocalma-upgrade-java_cup-manualalma-upgrade-javaccalma-upgrade-javacc-demoalma-upgrade-javacc-javadocalma-upgrade-javacc-manualalma-upgrade-javacc-maven-pluginalma-upgrade-javacc-maven-plugin-javadocalma-upgrade-javamailalma-upgrade-javamail-javadocalma-upgrade-javapackages-filesystemalma-upgrade-javapackages-localalma-upgrade-javapackages-toolsalma-upgrade-javassistalma-upgrade-javassist-javadocalma-upgrade-jaxenalma-upgrade-jaxen-demoalma-upgrade-jaxen-javadocalma-upgrade-jboss-interceptors-1.2-apialma-upgrade-jboss-interceptors-1.2-api-javadocalma-upgrade-jboss-parentalma-upgrade-jcl-over-slf4jalma-upgrade-jdependalma-upgrade-jdepend-demoalma-upgrade-jdepend-javadocalma-upgrade-jdependencyalma-upgrade-jdependency-javadocalma-upgrade-jdomalma-upgrade-jdom-demoalma-upgrade-jdom-javadocalma-upgrade-jdom2alma-upgrade-jdom2-javadocalma-upgrade-jflexalma-upgrade-jflex-javadocalma-upgrade-jlinealma-upgrade-jline-javadocalma-upgrade-jschalma-upgrade-jsch-javadocalma-upgrade-jsoupalma-upgrade-jsoup-javadocalma-upgrade-jsr-305alma-upgrade-jsr-305-javadocalma-upgrade-jtidyalma-upgrade-jtidy-javadocalma-upgrade-jul-to-slf4jalma-upgrade-junitalma-upgrade-junit-javadocalma-upgrade-junit-manualalma-upgrade-jvnet-parentalma-upgrade-jzlibalma-upgrade-jzlib-demoalma-upgrade-jzlib-javadocalma-upgrade-log4j-over-slf4jalma-upgrade-log4j12alma-upgrade-log4j12-javadocalma-upgrade-mavenalma-upgrade-maven-antrun-pluginalma-upgrade-maven-antrun-plugin-javadocalma-upgrade-maven-archiveralma-upgrade-maven-archiver-javadocalma-upgrade-maven-artifactalma-upgrade-maven-artifact-manageralma-upgrade-maven-artifact-resolveralma-upgrade-maven-artifact-resolver-javadocalma-upgrade-maven-artifact-transferalma-upgrade-maven-artifact-transfer-javadocalma-upgrade-maven-assembly-pluginalma-upgrade-maven-assembly-plugin-javadocalma-upgrade-maven-cal10n-pluginalma-upgrade-maven-clean-pluginalma-upgrade-maven-clean-plugin-javadocalma-upgrade-maven-common-artifact-filtersalma-upgrade-maven-common-artifact-filters-javadocalma-upgrade-maven-compiler-pluginalma-upgrade-maven-compiler-plugin-javadocalma-upgrade-maven-dependency-analyzeralma-upgrade-maven-dependency-analyzer-javadocalma-upgrade-maven-dependency-pluginalma-upgrade-maven-dependency-plugin-javadocalma-upgrade-maven-dependency-treealma-upgrade-maven-dependency-tree-javadocalma-upgrade-maven-doxiaalma-upgrade-maven-doxia-corealma-upgrade-maven-doxia-javadocalma-upgrade-maven-doxia-logging-apialma-upgrade-maven-doxia-module-aptalma-upgrade-maven-doxia-module-confluencealma-upgrade-maven-doxia-module-docbook-simplealma-upgrade-maven-doxia-module-fmlalma-upgrade-maven-doxia-module-latexalma-upgrade-maven-doxia-module-rtfalma-upgrade-maven-doxia-module-twikialma-upgrade-maven-doxia-module-xdocalma-upgrade-maven-doxia-module-xhtmlalma-upgrade-maven-doxia-modulesalma-upgrade-maven-doxia-sink-apialma-upgrade-maven-doxia-sitetoolsalma-upgrade-maven-doxia-sitetools-javadocalma-upgrade-maven-doxia-test-docsalma-upgrade-maven-doxia-testsalma-upgrade-maven-enforceralma-upgrade-maven-enforcer-apialma-upgrade-maven-enforcer-javadocalma-upgrade-maven-enforcer-pluginalma-upgrade-maven-enforcer-rulesalma-upgrade-maven-failsafe-pluginalma-upgrade-maven-file-managementalma-upgrade-maven-file-management-javadocalma-upgrade-maven-filteringalma-upgrade-maven-filtering-javadocalma-upgrade-maven-hawtjni-pluginalma-upgrade-maven-install-pluginalma-upgrade-maven-install-plugin-javadocalma-upgrade-maven-invokeralma-upgrade-maven-invoker-javadocalma-upgrade-maven-invoker-pluginalma-upgrade-maven-invoker-plugin-javadocalma-upgrade-maven-jar-pluginalma-upgrade-maven-jar-plugin-javadocalma-upgrade-maven-javadocalma-upgrade-maven-libalma-upgrade-maven-localalma-upgrade-maven-modelalma-upgrade-maven-monitoralma-upgrade-maven-parentalma-upgrade-maven-plugin-annotationsalma-upgrade-maven-plugin-build-helperalma-upgrade-maven-plugin-build-helper-javadocalma-upgrade-maven-plugin-bundlealma-upgrade-maven-plugin-bundle-javadocalma-upgrade-maven-plugin-descriptoralma-upgrade-maven-plugin-pluginalma-upgrade-maven-plugin-registryalma-upgrade-maven-plugin-testingalma-upgrade-maven-plugin-testing-harnessalma-upgrade-maven-plugin-testing-javadocalma-upgrade-maven-plugin-testing-toolsalma-upgrade-maven-plugin-toolsalma-upgrade-maven-plugin-tools-annotationsalma-upgrade-maven-plugin-tools-antalma-upgrade-maven-plugin-tools-apialma-upgrade-maven-plugin-tools-beanshellalma-upgrade-maven-plugin-tools-generatorsalma-upgrade-maven-plugin-tools-javaalma-upgrade-maven-plugin-tools-javadocalma-upgrade-maven-plugin-tools-javadocsalma-upgrade-maven-plugin-tools-modelalma-upgrade-maven-plugins-pomalma-upgrade-maven-profilealma-upgrade-maven-projectalma-upgrade-maven-remote-resources-pluginalma-upgrade-maven-remote-resources-plugin-javadocalma-upgrade-maven-reporting-apialma-upgrade-maven-reporting-api-javadocalma-upgrade-maven-reporting-implalma-upgrade-maven-reporting-impl-javadocalma-upgrade-maven-resolveralma-upgrade-maven-resolver-apialma-upgrade-maven-resolver-connector-basicalma-upgrade-maven-resolver-implalma-upgrade-maven-resolver-javadocalma-upgrade-maven-resolver-spialma-upgrade-maven-resolver-test-utilalma-upgrade-maven-resolver-transport-classpathalma-upgrade-maven-resolver-transport-filealma-upgrade-maven-resolver-transport-httpalma-upgrade-maven-resolver-transport-wagonalma-upgrade-maven-resolver-utilalma-upgrade-maven-resources-pluginalma-upgrade-maven-resources-plugin-javadocalma-upgrade-maven-scriptalma-upgrade-maven-script-antalma-upgrade-maven-script-beanshellalma-upgrade-maven-script-interpreteralma-upgrade-maven-script-interpreter-javadocalma-upgrade-maven-settingsalma-upgrade-maven-shade-pluginalma-upgrade-maven-shade-plugin-javadocalma-upgrade-maven-sharedalma-upgrade-maven-shared-incrementalalma-upgrade-maven-shared-incremental-javadocalma-upgrade-maven-shared-ioalma-upgrade-maven-shared-io-javadocalma-upgrade-maven-shared-utilsalma-upgrade-maven-shared-utils-javadocalma-upgrade-maven-source-pluginalma-upgrade-maven-source-plugin-javadocalma-upgrade-maven-surefirealma-upgrade-maven-surefire-javadocalma-upgrade-maven-surefire-pluginalma-upgrade-maven-surefire-provider-junitalma-upgrade-maven-surefire-provider-testngalma-upgrade-maven-surefire-report-parseralma-upgrade-maven-surefire-report-pluginalma-upgrade-maven-test-toolsalma-upgrade-maven-toolchainalma-upgrade-maven-verifieralma-upgrade-maven-verifier-javadocalma-upgrade-maven-wagonalma-upgrade-maven-wagon-filealma-upgrade-maven-wagon-ftpalma-upgrade-maven-wagon-httpalma-upgrade-maven-wagon-http-lightweightalma-upgrade-maven-wagon-http-sharedalma-upgrade-maven-wagon-javadocalma-upgrade-maven-wagon-provider-apialma-upgrade-maven-wagon-providersalma-upgrade-maven2-javadocalma-upgrade-mockitoalma-upgrade-mockito-javadocalma-upgrade-modelloalma-upgrade-modello-javadocalma-upgrade-mojo-parentalma-upgrade-munge-maven-pluginalma-upgrade-munge-maven-plugin-javadocalma-upgrade-objectweb-asmalma-upgrade-objectweb-asm-javadocalma-upgrade-objectweb-pomalma-upgrade-objenesisalma-upgrade-objenesis-javadocalma-upgrade-os-maven-pluginalma-upgrade-os-maven-plugin-javadocalma-upgrade-osgi-annotationalma-upgrade-osgi-annotation-javadocalma-upgrade-osgi-compendiumalma-upgrade-osgi-compendium-javadocalma-upgrade-osgi-corealma-upgrade-osgi-core-javadocalma-upgrade-plexus-ant-factoryalma-upgrade-plexus-ant-factory-javadocalma-upgrade-plexus-archiveralma-upgrade-plexus-archiver-javadocalma-upgrade-plexus-bsh-factoryalma-upgrade-plexus-bsh-factory-javadocalma-upgrade-plexus-build-apialma-upgrade-plexus-build-api-javadocalma-upgrade-plexus-cipheralma-upgrade-plexus-cipher-javadocalma-upgrade-plexus-classworldsalma-upgrade-plexus-classworlds-javadocalma-upgrade-plexus-clialma-upgrade-plexus-cli-javadocalma-upgrade-plexus-compileralma-upgrade-plexus-compiler-extrasalma-upgrade-plexus-compiler-javadocalma-upgrade-plexus-compiler-pomalma-upgrade-plexus-component-apialma-upgrade-plexus-component-api-javadocalma-upgrade-plexus-component-factories-pomalma-upgrade-plexus-components-pomalma-upgrade-plexus-containersalma-upgrade-plexus-containers-component-annotationsalma-upgrade-plexus-containers-component-javadocalma-upgrade-plexus-containers-component-metadataalma-upgrade-plexus-containers-container-defaultalma-upgrade-plexus-containers-javadocalma-upgrade-plexus-i18nalma-upgrade-plexus-i18n-javadocalma-upgrade-plexus-interactivityalma-upgrade-plexus-interactivity-apialma-upgrade-plexus-interactivity-javadocalma-upgrade-plexus-interactivity-jlinealma-upgrade-plexus-interpolationalma-upgrade-plexus-interpolation-javadocalma-upgrade-plexus-ioalma-upgrade-plexus-io-javadocalma-upgrade-plexus-languagesalma-upgrade-plexus-languages-javadocalma-upgrade-plexus-pomalma-upgrade-plexus-resourcesalma-upgrade-plexus-resources-javadocalma-upgrade-plexus-sec-dispatcheralma-upgrade-plexus-sec-dispatcher-javadocalma-upgrade-plexus-utilsalma-upgrade-plexus-utils-javadocalma-upgrade-plexus-velocityalma-upgrade-plexus-velocity-javadocalma-upgrade-powermock-api-easymockalma-upgrade-powermock-api-mockitoalma-upgrade-powermock-api-supportalma-upgrade-powermock-commonalma-upgrade-powermock-corealma-upgrade-powermock-javadocalma-upgrade-powermock-junit4alma-upgrade-powermock-reflectalma-upgrade-powermock-testngalma-upgrade-python3-javapackagesalma-upgrade-qdoxalma-upgrade-qdox-javadocalma-upgrade-regexpalma-upgrade-regexp-javadocalma-upgrade-sisu-injectalma-upgrade-sisu-javadocalma-upgrade-sisu-mojosalma-upgrade-sisu-mojos-javadocalma-upgrade-sisu-plexusalma-upgrade-slf4jalma-upgrade-slf4j-extalma-upgrade-slf4j-javadocalma-upgrade-slf4j-jclalma-upgrade-slf4j-jdk14alma-upgrade-slf4j-log4j12alma-upgrade-slf4j-manualalma-upgrade-slf4j-sourcesalma-upgrade-sonatype-oss-parentalma-upgrade-sonatype-plugins-parentalma-upgrade-spec-version-maven-pluginalma-upgrade-spec-version-maven-plugin-javadocalma-upgrade-spice-parentalma-upgrade-testngalma-upgrade-testng-javadocalma-upgrade-velocityalma-upgrade-velocity-demoalma-upgrade-velocity-javadocalma-upgrade-velocity-manualalma-upgrade-weld-parentalma-upgrade-xalan-j2alma-upgrade-xalan-j2-demoalma-upgrade-xalan-j2-javadocalma-upgrade-xalan-j2-manualalma-upgrade-xalan-j2-xsltcalma-upgrade-xbeanalma-upgrade-xbean-javadocalma-upgrade-xerces-j2alma-upgrade-xerces-j2-demoalma-upgrade-xerces-j2-javadocalma-upgrade-xml-commons-apisalma-upgrade-xml-commons-apis-javadocalma-upgrade-xml-commons-apis-manualalma-upgrade-xml-commons-resolveralma-upgrade-xml-commons-resolver-javadocalma-upgrade-xmlunitalma-upgrade-xmlunit-javadocalma-upgrade-xmvnalma-upgrade-xmvn-apialma-upgrade-xmvn-bisectalma-upgrade-xmvn-connector-aetheralma-upgrade-xmvn-connector-ivyalma-upgrade-xmvn-corealma-upgrade-xmvn-installalma-upgrade-xmvn-javadocalma-upgrade-xmvn-minimalalma-upgrade-xmvn-mojoalma-upgrade-xmvn-parent-pomalma-upgrade-xmvn-resolvealma-upgrade-xmvn-substalma-upgrade-xmvn-tools-pomalma-upgrade-xz-javaalma-upgrade-xz-java-javadoc
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.