Bug 2368956 (CVE-2025-48734) - CVE-2025-48734 commons-beanutils: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's declaredClass property by default
Summary: CVE-2025-48734 commons-beanutils: Apache Commons BeanUtils: PropertyUtilsBean...
Keywords:
Status: NEW
Alias: CVE-2025-48734
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2369089 2369094 2369088 2369090 2369091 2369092 2369093 2369095
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-05-28 14:01 UTC by OSIDB Bzimport
Modified: 2025-09-25 00:08 UTC (History)
127 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2025:10452 0 None None None 2025-07-07 13:30:57 UTC
Red Hat Product Errata RHSA-2025:10453 0 None None None 2025-07-07 13:25:57 UTC
Red Hat Product Errata RHSA-2025:10459 0 None None None 2025-07-07 13:35:26 UTC
Red Hat Product Errata RHSA-2025:10814 0 None None None 2025-07-10 16:17:11 UTC
Red Hat Product Errata RHSA-2025:10924 0 None None None 2025-07-14 15:56:00 UTC
Red Hat Product Errata RHSA-2025:10925 0 None None None 2025-07-14 15:55:12 UTC
Red Hat Product Errata RHSA-2025:10926 0 None None None 2025-07-14 15:54:32 UTC
Red Hat Product Errata RHSA-2025:10931 0 None None None 2025-07-14 16:21:41 UTC
Red Hat Product Errata RHSA-2025:12511 0 None None None 2025-08-01 17:43:27 UTC
Red Hat Product Errata RHSA-2025:13274 0 None None None 2025-08-06 16:17:55 UTC
Red Hat Product Errata RHSA-2025:15810 0 None None None 2025-09-15 14:41:59 UTC
Red Hat Product Errata RHSA-2025:15811 0 None None None 2025-09-15 15:01:42 UTC
Red Hat Product Errata RHSA-2025:15812 0 None None None 2025-09-15 15:02:00 UTC
Red Hat Product Errata RHSA-2025:15813 0 None None None 2025-09-15 14:42:27 UTC
Red Hat Product Errata RHSA-2025:15814 0 None None None 2025-09-15 15:07:24 UTC
Red Hat Product Errata RHSA-2025:15815 0 None None None 2025-09-15 14:42:57 UTC
Red Hat Product Errata RHSA-2025:15816 0 None None None 2025-09-15 15:02:59 UTC
Red Hat Product Errata RHSA-2025:15817 0 None None None 2025-09-15 15:03:08 UTC
Red Hat Product Errata RHSA-2025:16409 0 None None None 2025-09-22 23:39:47 UTC
Red Hat Product Errata RHSA-2025:16667 0 None None None 2025-09-25 00:08:46 UTC
Red Hat Product Errata RHSA-2025:16668 0 None None None 2025-09-25 00:07:55 UTC
Red Hat Product Errata RHSA-2025:8265 0 None None None 2025-06-05 02:19:56 UTC
Red Hat Product Errata RHSA-2025:8919 0 None None None 2025-06-11 15:34:20 UTC
Red Hat Product Errata RHSA-2025:9114 0 None None None 2025-06-16 14:56:15 UTC
Red Hat Product Errata RHSA-2025:9115 0 None None None 2025-06-16 15:02:58 UTC
Red Hat Product Errata RHSA-2025:9117 0 None None None 2025-06-16 15:04:18 UTC
Red Hat Product Errata RHSA-2025:9166 0 None None None 2025-06-17 09:05:57 UTC
Red Hat Product Errata RHSA-2025:9318 0 None None None 2025-06-23 03:30:30 UTC
Red Hat Product Errata RHSA-2025:9696 0 None None None 2025-06-25 19:28:11 UTC
Red Hat Product Errata RHSA-2025:9697 0 None None None 2025-06-25 19:47:54 UTC
Red Hat Product Errata RHSA-2025:9922 0 None None None 2025-06-30 13:17:26 UTC

Description OSIDB Bzimport 2025-05-28 14:01:19 UTC 
Improper Access Control vulnerability in Apache Commons.



A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default.





Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty().
Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests.

This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils

 1.x are recommended to upgrade to version 1.11.0, which fixes the issue.


Users of the artifact org.apache.commons:commons-beanutils2

 2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.
Comment 2 errata-xmlrpc 2025-06-05 02:19:47 UTC 
This issue has been addressed in the following products:

  Cryostat 4 on RHEL 9

Via RHSA-2025:8265 https://access.redhat.com/errata/RHSA-2025:8265
Comment 3 errata-xmlrpc 2025-06-11 15:34:12 UTC 
This issue has been addressed in the following products:

  Red Hat Build of Apache Camel 4.10 for Quarkus 3.20

Via RHSA-2025:8919 https://access.redhat.com/errata/RHSA-2025:8919
Comment 4 errata-xmlrpc 2025-06-16 14:56:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:9114 https://access.redhat.com/errata/RHSA-2025:9114
Comment 5 errata-xmlrpc 2025-06-16 15:02:49 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2025:9115 https://access.redhat.com/errata/RHSA-2025:9115
Comment 6 errata-xmlrpc 2025-06-16 15:04:11 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4.22

Via RHSA-2025:9117 https://access.redhat.com/errata/RHSA-2025:9117
Comment 8 errata-xmlrpc 2025-06-17 09:05:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:9166 https://access.redhat.com/errata/RHSA-2025:9166
Comment 9 errata-xmlrpc 2025-06-23 03:30:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:9318 https://access.redhat.com/errata/RHSA-2025:9318
Comment 12 errata-xmlrpc 2025-06-25 19:28:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:9696 https://access.redhat.com/errata/RHSA-2025:9696
Comment 13 errata-xmlrpc 2025-06-25 19:47:46 UTC 
This issue has been addressed in the following products:

  Red Hat build of Apache Camel 4.10.3 for Spring Boot 3.4.7

Via RHSA-2025:9697 https://access.redhat.com/errata/RHSA-2025:9697
Comment 14 errata-xmlrpc 2025-06-30 13:17:17 UTC 
This issue has been addressed in the following products:

  Streams for Apache Kafka 2.9.1

Via RHSA-2025:9922 https://access.redhat.com/errata/RHSA-2025:9922
Comment 15 errata-xmlrpc 2025-07-07 13:25:47 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Via RHSA-2025:10453 https://access.redhat.com/errata/RHSA-2025:10453
Comment 16 errata-xmlrpc 2025-07-07 13:30:49 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Via RHSA-2025:10452 https://access.redhat.com/errata/RHSA-2025:10452
Comment 17 errata-xmlrpc 2025-07-07 13:35:17 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0.8

Via RHSA-2025:10459 https://access.redhat.com/errata/RHSA-2025:10459
Comment 18 errata-xmlrpc 2025-07-10 16:17:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2025:10814 https://access.redhat.com/errata/RHSA-2025:10814
Comment 19 errata-xmlrpc 2025-07-14 15:54:24 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2025:10926 https://access.redhat.com/errata/RHSA-2025:10926
Comment 20 errata-xmlrpc 2025-07-14 15:55:04 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2025:10925 https://access.redhat.com/errata/RHSA-2025:10925
Comment 21 errata-xmlrpc 2025-07-14 15:55:52 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2025:10924 https://access.redhat.com/errata/RHSA-2025:10924
Comment 22 errata-xmlrpc 2025-07-14 16:21:32 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4.23

Via RHSA-2025:10931 https://access.redhat.com/errata/RHSA-2025:10931
Comment 23 errata-xmlrpc 2025-08-01 17:43:19 UTC 
This issue has been addressed in the following products:

  Streams for Apache Kafka 3.0.0

Via RHSA-2025:12511 https://access.redhat.com/errata/RHSA-2025:12511
Comment 24 errata-xmlrpc 2025-08-06 16:17:46 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Broker 7.13.1

Via RHSA-2025:13274 https://access.redhat.com/errata/RHSA-2025:13274
Comment 26 errata-xmlrpc 2025-09-15 14:41:50 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.18-RHEL-9

Via RHSA-2025:15810 https://access.redhat.com/errata/RHSA-2025:15810
Comment 27 errata-xmlrpc 2025-09-15 14:42:18 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.12-RHEL-8

Via RHSA-2025:15813 https://access.redhat.com/errata/RHSA-2025:15813
Comment 28 errata-xmlrpc 2025-09-15 14:42:47 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.13-RHEL-8

Via RHSA-2025:15815 https://access.redhat.com/errata/RHSA-2025:15815
Comment 29 errata-xmlrpc 2025-09-15 15:01:33 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.16-RHEL-9

Via RHSA-2025:15811 https://access.redhat.com/errata/RHSA-2025:15811
Comment 30 errata-xmlrpc 2025-09-15 15:01:52 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.19-RHEL-9

Via RHSA-2025:15812 https://access.redhat.com/errata/RHSA-2025:15812
Comment 31 errata-xmlrpc 2025-09-15 15:02:50 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.14-RHEL-8

Via RHSA-2025:15816 https://access.redhat.com/errata/RHSA-2025:15816
Comment 32 errata-xmlrpc 2025-09-15 15:02:53 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.15-RHEL-8

Via RHSA-2025:15817 https://access.redhat.com/errata/RHSA-2025:15817
Comment 33 errata-xmlrpc 2025-09-15 15:07:14 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.17-RHEL-9

Via RHSA-2025:15814 https://access.redhat.com/errata/RHSA-2025:15814
Comment 36 errata-xmlrpc 2025-09-22 23:39:39 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Broker 7.12.5

Via RHSA-2025:16409 https://access.redhat.com/errata/RHSA-2025:16409
Comment 37 errata-xmlrpc 2025-09-25 00:07:47 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7

Via RHSA-2025:16668 https://access.redhat.com/errata/RHSA-2025:16668
Comment 38 errata-xmlrpc 2025-09-25 00:08:38 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7

Via RHSA-2025:16667 https://access.redhat.com/errata/RHSA-2025:16667
Note You need to log in before you can comment on or make changes to this bug.