{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"High" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"apache-commons-beanutils security update", "category":"general", "title":"Synopsis" }, { "text":"An update for apache-commons-beanutils is now available for openEuler-24.03-LTS-SP2", "category":"general", "title":"Summary" }, { "text":"The scope of this package is to create a package of Java utility methods for accessing and modifying the properties of arbitrary JavaBeans. No dependencies outside of the JDK are required, so the use of this package is very lightweight.\n\nSecurity Fix(es):\n\nA vulnerability, which was classified as critical, was found in Apache Commons BeanUtils up to 1.10.x/2.0.0-/1.CWE is classifying the issue as CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.This is going to have an impact on confidentiality, integrity, and availability.Upgrading to version 1.11.0 or 2.0.0-M2 eliminates this vulnerability.(CVE-2025-48734)", "category":"general", "title":"Description" }, { "text":"An update for apache-commons-beanutils is now available for openEuler-24.03-LTS-SP2.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"High", "category":"general", "title":"Severity" }, { "text":"apache-commons-beanutils", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2025-1803", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1803" }, { "summary":"CVE-2025-48734", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-48734&packageName=apache-commons-beanutils" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2025-48734" }, { "summary":"openEuler-SA-2025-1803 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2025/csaf-openeuler-sa-2025-1803.json" } ], "title":"An update for apache-commons-beanutils is now available for openEuler-24.03-LTS-SP2", "tracking":{ "initial_release_date":"2025-07-11T20:21:00+08:00", "revision_history":[ { "date":"2025-07-11T20:21:00+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2025-07-11T20:21:00+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2025-07-11T20:21:00+08:00", "id":"openEuler-SA-2025-1803", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP2" }, "product_id":"openEuler-24.03-LTS-SP2", "name":"openEuler-24.03-LTS-SP2" }, "name":"openEuler-24.03-LTS-SP2", "category":"product_version" } ], "category":"product_name" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP2" }, "product_id":"apache-commons-beanutils-1.9.4-4.oe2403sp2.noarch.rpm", "name":"apache-commons-beanutils-1.9.4-4.oe2403sp2.noarch.rpm" }, "name":"apache-commons-beanutils-1.9.4-4.oe2403sp2.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP2" }, "product_id":"apache-commons-beanutils-javadoc-1.9.4-4.oe2403sp2.noarch.rpm", "name":"apache-commons-beanutils-javadoc-1.9.4-4.oe2403sp2.noarch.rpm" }, "name":"apache-commons-beanutils-javadoc-1.9.4-4.oe2403sp2.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP2" }, "product_id":"apache-commons-beanutils-1.9.4-4.oe2403sp2.src.rpm", "name":"apache-commons-beanutils-1.9.4-4.oe2403sp2.src.rpm" }, "name":"apache-commons-beanutils-1.9.4-4.oe2403sp2.src.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-24.03-LTS-SP2", "product_reference":"apache-commons-beanutils-1.9.4-4.oe2403sp2.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP2:apache-commons-beanutils-1.9.4-4.oe2403sp2.noarch", "name":"apache-commons-beanutils-1.9.4-4.oe2403sp2.noarch as a component of openEuler-24.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP2", "product_reference":"apache-commons-beanutils-javadoc-1.9.4-4.oe2403sp2.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP2:apache-commons-beanutils-javadoc-1.9.4-4.oe2403sp2.noarch", "name":"apache-commons-beanutils-javadoc-1.9.4-4.oe2403sp2.noarch as a component of openEuler-24.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP2", "product_reference":"apache-commons-beanutils-1.9.4-4.oe2403sp2.src.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP2:apache-commons-beanutils-1.9.4-4.oe2403sp2.src", "name":"apache-commons-beanutils-1.9.4-4.oe2403sp2.src as a component of openEuler-24.03-LTS-SP2" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2025-48734", "notes":[ { "text":"A vulnerability, which was classified as critical, was found in Apache Commons BeanUtils up to 1.10.x/2.0.0-/1.CWE is classifying the issue as CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.This is going to have an impact on confidentiality, integrity, and availability.Upgrading to version 1.11.0 or 2.0.0-M2 eliminates this vulnerability.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS-SP2:apache-commons-beanutils-1.9.4-4.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:apache-commons-beanutils-javadoc-1.9.4-4.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:apache-commons-beanutils-1.9.4-4.oe2403sp2.src" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS-SP2:apache-commons-beanutils-1.9.4-4.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:apache-commons-beanutils-javadoc-1.9.4-4.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:apache-commons-beanutils-1.9.4-4.oe2403sp2.src" ], "details":"apache-commons-beanutils security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1803" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":8.8, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version":"3.1" }, "products":[ "openEuler-24.03-LTS-SP2:apache-commons-beanutils-1.9.4-4.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:apache-commons-beanutils-javadoc-1.9.4-4.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:apache-commons-beanutils-1.9.4-4.oe2403sp2.src" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2025-48734" } ] }