|WindowsBuilder getClass exposure old version netbeans [message #1803571]
||Mon, 04 March 2019 16:20
| Timothy Wiltshire
Registered: March 2019
I am an ECLIPSE user, not awesome, but reasonably capable for an "non programer" type. Anyway, my employer requires pre approval of any open source software before install, and when I applied for WindowsBuilder PRO (I have a project what I really do need a WYSIWYG GUI builder), they rejected the reqeust indicating this: |
"The requested software includes Apache Commons BeanUtils version 1.8.0, dated 2008-08-28, which has the following issue:
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Published: April 30, 2014; 06:49:03 AM -04:00
Note that BeanUtils 1.9.3 has been available since 2016-09-21, so this software cannot be approved."
Is this true, does current version of WindowBuilder atually use this very old netBeans component with an exposure? If so, is there any other WYSIWYG GUI builder that doesn't have this kind of exposure?
Powered by FUDForum
. Page generated in 0.02614 seconds