vulnerability

Red Hat: CVE-2025-48734: commons-beanutils: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's declaredClass property by default (Multiple Advisories)

Try Surface Command
Back to search
Severity
9
CVSS
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
Published
May 28, 2025
Added
Jun 17, 2025
Modified
Nov 14, 2025

Description

Improper Access Control vulnerability in Apache Commons.

A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default.

Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty().
Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests.

This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils

1.x are recommended to upgrade to version 1.11.0, which fixes the issue.

Users of the artifact org.apache.commons:commons-beanutils2

2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.

Solutions

no-fix-redhat-rpm-packageredhat-upgrade-antredhat-upgrade-ant-antlrredhat-upgrade-ant-apache-bcelredhat-upgrade-ant-apache-bsfredhat-upgrade-ant-apache-log4jredhat-upgrade-ant-apache-ororedhat-upgrade-ant-apache-regexpredhat-upgrade-ant-apache-resolverredhat-upgrade-ant-apache-xalan2redhat-upgrade-ant-commons-loggingredhat-upgrade-ant-commons-netredhat-upgrade-ant-contribredhat-upgrade-ant-contrib-javadocredhat-upgrade-ant-javadocredhat-upgrade-ant-javamailredhat-upgrade-ant-jdependredhat-upgrade-ant-jmfredhat-upgrade-ant-jschredhat-upgrade-ant-junitredhat-upgrade-ant-libredhat-upgrade-ant-manualredhat-upgrade-ant-swingredhat-upgrade-ant-testutilredhat-upgrade-ant-xzredhat-upgrade-antlr-credhat-upgrade-antlr-javadocredhat-upgrade-antlr-manualredhat-upgrade-antlr-toolredhat-upgrade-aopallianceredhat-upgrade-aopalliance-javadocredhat-upgrade-apache-commons-beanutilsredhat-upgrade-apache-commons-beanutils-javadocredhat-upgrade-apache-commons-cliredhat-upgrade-apache-commons-cli-javadocredhat-upgrade-apache-commons-codecredhat-upgrade-apache-commons-codec-javadocredhat-upgrade-apache-commons-collectionsredhat-upgrade-apache-commons-collections-javadocredhat-upgrade-apache-commons-collections-testframeworkredhat-upgrade-apache-commons-compressredhat-upgrade-apache-commons-compress-javadocredhat-upgrade-apache-commons-execredhat-upgrade-apache-commons-exec-javadocredhat-upgrade-apache-commons-ioredhat-upgrade-apache-commons-io-javadocredhat-upgrade-apache-commons-jxpathredhat-upgrade-apache-commons-jxpath-javadocredhat-upgrade-apache-commons-langredhat-upgrade-apache-commons-lang-javadocredhat-upgrade-apache-commons-lang3redhat-upgrade-apache-commons-lang3-javadocredhat-upgrade-apache-commons-loggingredhat-upgrade-apache-commons-logging-javadocredhat-upgrade-apache-commons-netredhat-upgrade-apache-commons-net-javadocredhat-upgrade-apache-commons-parentredhat-upgrade-apache-ivyredhat-upgrade-apache-ivy-javadocredhat-upgrade-apache-parentredhat-upgrade-apache-resource-bundlesredhat-upgrade-aqute-bndredhat-upgrade-aqute-bnd-javadocredhat-upgrade-aqute-bndlibredhat-upgrade-assertj-coreredhat-upgrade-assertj-core-javadocredhat-upgrade-atinjectredhat-upgrade-atinject-javadocredhat-upgrade-atinject-tckredhat-upgrade-bcelredhat-upgrade-bcel-javadocredhat-upgrade-beust-jcommanderredhat-upgrade-beust-jcommander-javadocredhat-upgrade-bnd-maven-pluginredhat-upgrade-bsfredhat-upgrade-bsf-javadocredhat-upgrade-bshredhat-upgrade-bsh-javadocredhat-upgrade-bsh-manualredhat-upgrade-byaccjredhat-upgrade-byaccj-debuginforedhat-upgrade-byaccj-debugsourceredhat-upgrade-cal10nredhat-upgrade-cal10n-javadocredhat-upgrade-cdi-apiredhat-upgrade-cdi-api-javadocredhat-upgrade-cglibredhat-upgrade-cglib-javadocredhat-upgrade-easymockredhat-upgrade-easymock-javadocredhat-upgrade-exec-maven-pluginredhat-upgrade-exec-maven-plugin-javadocredhat-upgrade-felix-osgi-compendiumredhat-upgrade-felix-osgi-compendium-javadocredhat-upgrade-felix-osgi-coreredhat-upgrade-felix-osgi-core-javadocredhat-upgrade-felix-osgi-foundationredhat-upgrade-felix-osgi-foundation-javadocredhat-upgrade-felix-parentredhat-upgrade-felix-utilsredhat-upgrade-felix-utils-javadocredhat-upgrade-forge-parentredhat-upgrade-fusesource-pomredhat-upgrade-geronimo-annotationredhat-upgrade-geronimo-annotation-javadocredhat-upgrade-geronimo-jmsredhat-upgrade-geronimo-jms-javadocredhat-upgrade-geronimo-jparedhat-upgrade-geronimo-jpa-javadocredhat-upgrade-geronimo-parent-pomsredhat-upgrade-glassfish-annotation-apiredhat-upgrade-glassfish-annotation-api-javadocredhat-upgrade-glassfish-elredhat-upgrade-glassfish-el-apiredhat-upgrade-glassfish-el-javadocredhat-upgrade-glassfish-jsp-apiredhat-upgrade-glassfish-jsp-api-javadocredhat-upgrade-glassfish-legalredhat-upgrade-glassfish-master-pomredhat-upgrade-glassfish-servlet-apiredhat-upgrade-glassfish-servlet-api-javadocredhat-upgrade-google-guiceredhat-upgrade-google-guice-javadocredhat-upgrade-guava20redhat-upgrade-guava20-javadocredhat-upgrade-guava20-testlibredhat-upgrade-guice-assistedinjectredhat-upgrade-guice-bomredhat-upgrade-guice-extensionsredhat-upgrade-guice-grapherredhat-upgrade-guice-jmxredhat-upgrade-guice-jndiredhat-upgrade-guice-multibindingsredhat-upgrade-guice-parentredhat-upgrade-guice-servletredhat-upgrade-guice-testlibredhat-upgrade-guice-throwingprovidersredhat-upgrade-hamcrestredhat-upgrade-hamcrest-coreredhat-upgrade-hamcrest-demoredhat-upgrade-hamcrest-javadocredhat-upgrade-hawtjniredhat-upgrade-hawtjni-javadocredhat-upgrade-hawtjni-runtimeredhat-upgrade-httpcomponents-clientredhat-upgrade-httpcomponents-client-cacheredhat-upgrade-httpcomponents-client-javadocredhat-upgrade-httpcomponents-coreredhat-upgrade-httpcomponents-core-javadocredhat-upgrade-httpcomponents-projectredhat-upgrade-isorelaxredhat-upgrade-isorelax-javadocredhat-upgrade-ivy-localredhat-upgrade-jakarta-commons-httpclientredhat-upgrade-jakarta-commons-httpclient-demoredhat-upgrade-jakarta-commons-httpclient-javadocredhat-upgrade-jakarta-commons-httpclient-manualredhat-upgrade-jakarta-ororedhat-upgrade-jakarta-oro-javadocredhat-upgrade-jansiredhat-upgrade-jansi-javadocredhat-upgrade-jansi-nativeredhat-upgrade-jansi-native-javadocredhat-upgrade-java_cupredhat-upgrade-java_cup-javadocredhat-upgrade-java_cup-manualredhat-upgrade-javaccredhat-upgrade-javacc-demoredhat-upgrade-javacc-javadocredhat-upgrade-javacc-manualredhat-upgrade-javacc-maven-pluginredhat-upgrade-javacc-maven-plugin-javadocredhat-upgrade-javamailredhat-upgrade-javamail-javadocredhat-upgrade-javapackages-filesystemredhat-upgrade-javapackages-localredhat-upgrade-javapackages-toolsredhat-upgrade-javassistredhat-upgrade-javassist-javadocredhat-upgrade-jaxenredhat-upgrade-jaxen-demoredhat-upgrade-jaxen-javadocredhat-upgrade-jboss-interceptors-1-2-apiredhat-upgrade-jboss-interceptors-1-2-api-javadocredhat-upgrade-jboss-parentredhat-upgrade-jcl-over-slf4jredhat-upgrade-jdependredhat-upgrade-jdepend-demoredhat-upgrade-jdepend-javadocredhat-upgrade-jdependencyredhat-upgrade-jdependency-javadocredhat-upgrade-jdomredhat-upgrade-jdom-demoredhat-upgrade-jdom-javadocredhat-upgrade-jdom2redhat-upgrade-jdom2-javadocredhat-upgrade-jflexredhat-upgrade-jflex-javadocredhat-upgrade-jlineredhat-upgrade-jline-javadocredhat-upgrade-jschredhat-upgrade-jsch-javadocredhat-upgrade-jsoupredhat-upgrade-jsoup-javadocredhat-upgrade-jsr-305redhat-upgrade-jsr-305-javadocredhat-upgrade-jtidyredhat-upgrade-jtidy-javadocredhat-upgrade-jul-to-slf4jredhat-upgrade-junitredhat-upgrade-junit-javadocredhat-upgrade-junit-manualredhat-upgrade-jvnet-parentredhat-upgrade-jzlibredhat-upgrade-jzlib-demoredhat-upgrade-jzlib-javadocredhat-upgrade-log4j-over-slf4jredhat-upgrade-log4j12redhat-upgrade-log4j12-javadocredhat-upgrade-mavenredhat-upgrade-maven-antrun-pluginredhat-upgrade-maven-antrun-plugin-javadocredhat-upgrade-maven-archiverredhat-upgrade-maven-archiver-javadocredhat-upgrade-maven-artifactredhat-upgrade-maven-artifact-managerredhat-upgrade-maven-artifact-resolverredhat-upgrade-maven-artifact-resolver-javadocredhat-upgrade-maven-artifact-transferredhat-upgrade-maven-artifact-transfer-javadocredhat-upgrade-maven-assembly-pluginredhat-upgrade-maven-assembly-plugin-javadocredhat-upgrade-maven-cal10n-pluginredhat-upgrade-maven-clean-pluginredhat-upgrade-maven-clean-plugin-javadocredhat-upgrade-maven-common-artifact-filtersredhat-upgrade-maven-common-artifact-filters-javadocredhat-upgrade-maven-compiler-pluginredhat-upgrade-maven-compiler-plugin-javadocredhat-upgrade-maven-dependency-analyzerredhat-upgrade-maven-dependency-analyzer-javadocredhat-upgrade-maven-dependency-pluginredhat-upgrade-maven-dependency-plugin-javadocredhat-upgrade-maven-dependency-treeredhat-upgrade-maven-dependency-tree-javadocredhat-upgrade-maven-doxiaredhat-upgrade-maven-doxia-coreredhat-upgrade-maven-doxia-javadocredhat-upgrade-maven-doxia-logging-apiredhat-upgrade-maven-doxia-module-aptredhat-upgrade-maven-doxia-module-confluenceredhat-upgrade-maven-doxia-module-docbook-simpleredhat-upgrade-maven-doxia-module-fmlredhat-upgrade-maven-doxia-module-latexredhat-upgrade-maven-doxia-module-rtfredhat-upgrade-maven-doxia-module-twikiredhat-upgrade-maven-doxia-module-xdocredhat-upgrade-maven-doxia-module-xhtmlredhat-upgrade-maven-doxia-modulesredhat-upgrade-maven-doxia-sink-apiredhat-upgrade-maven-doxia-sitetoolsredhat-upgrade-maven-doxia-sitetools-javadocredhat-upgrade-maven-doxia-test-docsredhat-upgrade-maven-doxia-testsredhat-upgrade-maven-enforcerredhat-upgrade-maven-enforcer-apiredhat-upgrade-maven-enforcer-javadocredhat-upgrade-maven-enforcer-pluginredhat-upgrade-maven-enforcer-rulesredhat-upgrade-maven-failsafe-pluginredhat-upgrade-maven-file-managementredhat-upgrade-maven-file-management-javadocredhat-upgrade-maven-filteringredhat-upgrade-maven-filtering-javadocredhat-upgrade-maven-hawtjni-pluginredhat-upgrade-maven-install-pluginredhat-upgrade-maven-install-plugin-javadocredhat-upgrade-maven-invokerredhat-upgrade-maven-invoker-javadocredhat-upgrade-maven-invoker-pluginredhat-upgrade-maven-invoker-plugin-javadocredhat-upgrade-maven-jar-pluginredhat-upgrade-maven-jar-plugin-javadocredhat-upgrade-maven-javadocredhat-upgrade-maven-libredhat-upgrade-maven-localredhat-upgrade-maven-modelredhat-upgrade-maven-monitorredhat-upgrade-maven-parentredhat-upgrade-maven-plugin-annotationsredhat-upgrade-maven-plugin-build-helperredhat-upgrade-maven-plugin-build-helper-javadocredhat-upgrade-maven-plugin-bundleredhat-upgrade-maven-plugin-bundle-javadocredhat-upgrade-maven-plugin-descriptorredhat-upgrade-maven-plugin-pluginredhat-upgrade-maven-plugin-registryredhat-upgrade-maven-plugin-testingredhat-upgrade-maven-plugin-testing-harnessredhat-upgrade-maven-plugin-testing-javadocredhat-upgrade-maven-plugin-testing-toolsredhat-upgrade-maven-plugin-toolsredhat-upgrade-maven-plugin-tools-annotationsredhat-upgrade-maven-plugin-tools-antredhat-upgrade-maven-plugin-tools-apiredhat-upgrade-maven-plugin-tools-beanshellredhat-upgrade-maven-plugin-tools-generatorsredhat-upgrade-maven-plugin-tools-javaredhat-upgrade-maven-plugin-tools-javadocredhat-upgrade-maven-plugin-tools-javadocsredhat-upgrade-maven-plugin-tools-modelredhat-upgrade-maven-plugins-pomredhat-upgrade-maven-profileredhat-upgrade-maven-projectredhat-upgrade-maven-remote-resources-pluginredhat-upgrade-maven-remote-resources-plugin-javadocredhat-upgrade-maven-reporting-apiredhat-upgrade-maven-reporting-api-javadocredhat-upgrade-maven-reporting-implredhat-upgrade-maven-reporting-impl-javadocredhat-upgrade-maven-resolverredhat-upgrade-maven-resolver-apiredhat-upgrade-maven-resolver-connector-basicredhat-upgrade-maven-resolver-implredhat-upgrade-maven-resolver-javadocredhat-upgrade-maven-resolver-spiredhat-upgrade-maven-resolver-test-utilredhat-upgrade-maven-resolver-transport-classpathredhat-upgrade-maven-resolver-transport-fileredhat-upgrade-maven-resolver-transport-httpredhat-upgrade-maven-resolver-transport-wagonredhat-upgrade-maven-resolver-utilredhat-upgrade-maven-resources-pluginredhat-upgrade-maven-resources-plugin-javadocredhat-upgrade-maven-scriptredhat-upgrade-maven-script-antredhat-upgrade-maven-script-beanshellredhat-upgrade-maven-script-interpreterredhat-upgrade-maven-script-interpreter-javadocredhat-upgrade-maven-settingsredhat-upgrade-maven-shade-pluginredhat-upgrade-maven-shade-plugin-javadocredhat-upgrade-maven-sharedredhat-upgrade-maven-shared-incrementalredhat-upgrade-maven-shared-incremental-javadocredhat-upgrade-maven-shared-ioredhat-upgrade-maven-shared-io-javadocredhat-upgrade-maven-shared-utilsredhat-upgrade-maven-shared-utils-javadocredhat-upgrade-maven-source-pluginredhat-upgrade-maven-source-plugin-javadocredhat-upgrade-maven-surefireredhat-upgrade-maven-surefire-javadocredhat-upgrade-maven-surefire-pluginredhat-upgrade-maven-surefire-provider-junitredhat-upgrade-maven-surefire-provider-testngredhat-upgrade-maven-surefire-report-parserredhat-upgrade-maven-surefire-report-pluginredhat-upgrade-maven-test-toolsredhat-upgrade-maven-toolchainredhat-upgrade-maven-verifierredhat-upgrade-maven-verifier-javadocredhat-upgrade-maven-wagonredhat-upgrade-maven-wagon-fileredhat-upgrade-maven-wagon-ftpredhat-upgrade-maven-wagon-httpredhat-upgrade-maven-wagon-http-lightweightredhat-upgrade-maven-wagon-http-sharedredhat-upgrade-maven-wagon-javadocredhat-upgrade-maven-wagon-provider-apiredhat-upgrade-maven-wagon-providersredhat-upgrade-maven2-javadocredhat-upgrade-mockitoredhat-upgrade-mockito-javadocredhat-upgrade-modelloredhat-upgrade-modello-javadocredhat-upgrade-mojo-parentredhat-upgrade-munge-maven-pluginredhat-upgrade-munge-maven-plugin-javadocredhat-upgrade-objectweb-asmredhat-upgrade-objectweb-asm-javadocredhat-upgrade-objectweb-pomredhat-upgrade-objenesisredhat-upgrade-objenesis-javadocredhat-upgrade-os-maven-pluginredhat-upgrade-os-maven-plugin-javadocredhat-upgrade-osgi-annotationredhat-upgrade-osgi-annotation-javadocredhat-upgrade-osgi-compendiumredhat-upgrade-osgi-compendium-javadocredhat-upgrade-osgi-coreredhat-upgrade-osgi-core-javadocredhat-upgrade-plexus-ant-factoryredhat-upgrade-plexus-ant-factory-javadocredhat-upgrade-plexus-archiverredhat-upgrade-plexus-archiver-javadocredhat-upgrade-plexus-bsh-factoryredhat-upgrade-plexus-bsh-factory-javadocredhat-upgrade-plexus-build-apiredhat-upgrade-plexus-build-api-javadocredhat-upgrade-plexus-cipherredhat-upgrade-plexus-cipher-javadocredhat-upgrade-plexus-classworldsredhat-upgrade-plexus-classworlds-javadocredhat-upgrade-plexus-cliredhat-upgrade-plexus-cli-javadocredhat-upgrade-plexus-compilerredhat-upgrade-plexus-compiler-extrasredhat-upgrade-plexus-compiler-javadocredhat-upgrade-plexus-compiler-pomredhat-upgrade-plexus-component-apiredhat-upgrade-plexus-component-api-javadocredhat-upgrade-plexus-component-factories-pomredhat-upgrade-plexus-components-pomredhat-upgrade-plexus-containersredhat-upgrade-plexus-containers-component-annotationsredhat-upgrade-plexus-containers-component-javadocredhat-upgrade-plexus-containers-component-metadataredhat-upgrade-plexus-containers-container-defaultredhat-upgrade-plexus-containers-javadocredhat-upgrade-plexus-i18nredhat-upgrade-plexus-i18n-javadocredhat-upgrade-plexus-interactivityredhat-upgrade-plexus-interactivity-apiredhat-upgrade-plexus-interactivity-javadocredhat-upgrade-plexus-interactivity-jlineredhat-upgrade-plexus-interpolationredhat-upgrade-plexus-interpolation-javadocredhat-upgrade-plexus-ioredhat-upgrade-plexus-io-javadocredhat-upgrade-plexus-languagesredhat-upgrade-plexus-languages-javadocredhat-upgrade-plexus-pomredhat-upgrade-plexus-resourcesredhat-upgrade-plexus-resources-javadocredhat-upgrade-plexus-sec-dispatcherredhat-upgrade-plexus-sec-dispatcher-javadocredhat-upgrade-plexus-utilsredhat-upgrade-plexus-utils-javadocredhat-upgrade-plexus-velocityredhat-upgrade-plexus-velocity-javadocredhat-upgrade-powermock-api-easymockredhat-upgrade-powermock-api-mockitoredhat-upgrade-powermock-api-supportredhat-upgrade-powermock-commonredhat-upgrade-powermock-coreredhat-upgrade-powermock-javadocredhat-upgrade-powermock-junit4redhat-upgrade-powermock-reflectredhat-upgrade-powermock-testngredhat-upgrade-python3-javapackagesredhat-upgrade-qdoxredhat-upgrade-qdox-javadocredhat-upgrade-regexpredhat-upgrade-regexp-javadocredhat-upgrade-sisu-injectredhat-upgrade-sisu-javadocredhat-upgrade-sisu-mojosredhat-upgrade-sisu-mojos-javadocredhat-upgrade-sisu-plexusredhat-upgrade-slf4jredhat-upgrade-slf4j-extredhat-upgrade-slf4j-javadocredhat-upgrade-slf4j-jclredhat-upgrade-slf4j-jdk14redhat-upgrade-slf4j-log4j12redhat-upgrade-slf4j-manualredhat-upgrade-slf4j-sourcesredhat-upgrade-sonatype-oss-parentredhat-upgrade-sonatype-plugins-parentredhat-upgrade-spec-version-maven-pluginredhat-upgrade-spec-version-maven-plugin-javadocredhat-upgrade-spice-parentredhat-upgrade-testngredhat-upgrade-testng-javadocredhat-upgrade-velocityredhat-upgrade-velocity-demoredhat-upgrade-velocity-javadocredhat-upgrade-velocity-manualredhat-upgrade-weld-parentredhat-upgrade-xalan-j2redhat-upgrade-xalan-j2-demoredhat-upgrade-xalan-j2-javadocredhat-upgrade-xalan-j2-manualredhat-upgrade-xalan-j2-xsltcredhat-upgrade-xbeanredhat-upgrade-xbean-javadocredhat-upgrade-xerces-j2redhat-upgrade-xerces-j2-demoredhat-upgrade-xerces-j2-javadocredhat-upgrade-xml-commons-apisredhat-upgrade-xml-commons-apis-javadocredhat-upgrade-xml-commons-apis-manualredhat-upgrade-xml-commons-resolverredhat-upgrade-xml-commons-resolver-javadocredhat-upgrade-xmlunitredhat-upgrade-xmlunit-javadocredhat-upgrade-xmvnredhat-upgrade-xmvn-apiredhat-upgrade-xmvn-bisectredhat-upgrade-xmvn-connector-aetherredhat-upgrade-xmvn-connector-ivyredhat-upgrade-xmvn-coreredhat-upgrade-xmvn-installredhat-upgrade-xmvn-javadocredhat-upgrade-xmvn-minimalredhat-upgrade-xmvn-mojoredhat-upgrade-xmvn-parent-pomredhat-upgrade-xmvn-resolveredhat-upgrade-xmvn-substredhat-upgrade-xmvn-tools-pomredhat-upgrade-xz-javaredhat-upgrade-xz-java-javadoc

References

Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today