Skip to main content

Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Newcomers » Newcomers » WindowsBuilder getClass exposure old version netbeans(WindowsBuilder getClass uses netbeans 1.80 has known vulnerability)
WindowsBuilder getClass exposure old version netbeans [message #1803571] Mon, 04 March 2019 16:20
Timothy Wiltshire is currently offline Timothy WiltshireFriend
Messages: 1
Registered: March 2019
Junior Member
I am an ECLIPSE user, not awesome, but reasonably capable for an "non programer" type. Anyway, my employer requires pre approval of any open source software before install, and when I applied for WindowsBuilder PRO (I have a project what I really do need a WYSIWYG GUI builder), they rejected the reqeust indicating this:

"The requested software includes Apache Commons BeanUtils version 1.8.0, dated 2008-08-28, which has the following issue:
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Published: April 30, 2014; 06:49:03 AM -04:00

Note that BeanUtils 1.9.3 has been available since 2016-09-21, so this software cannot be approved."

Is this true, does current version of WindowBuilder atually use this very old netBeans component with an exposure? If so, is there any other WYSIWYG GUI builder that doesn't have this kind of exposure?
Previous Topic:Jetty response two http head in one request
Next Topic:Eclipse CPP 2018-12
Goto Forum:

Current Time: Mon May 25 06:16:41 GMT 2020

Powered by FUDForum. Page generated in 0.02614 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top