WindowsBuilder getClass exposure old version netbeans [message #1803571] |
Mon, 04 March 2019 16:20 |
Timothy Wiltshire Messages: 1 Registered: March 2019 |
Junior Member |
|
|
I am an ECLIPSE user, not awesome, but reasonably capable for an "non programer" type. Anyway, my employer requires pre approval of any open source software before install, and when I applied for WindowsBuilder PRO (I have a project what I really do need a WYSIWYG GUI builder), they rejected the reqeust indicating this:
"The requested software includes Apache Commons BeanUtils version 1.8.0, dated 2008-08-28, which has the following issue:
CVE-2014-0114
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Published: April 30, 2014; 06:49:03 AM -04:00
Note that BeanUtils 1.9.3 has been available since 2016-09-21, so this software cannot be approved."
Is this true, does current version of WindowBuilder atually use this very old netBeans component with an exposure? If so, is there any other WYSIWYG GUI builder that doesn't have this kind of exposure?
|
|
|
Powered by
FUDForum. Page generated in 0.29214 seconds