Usage of vulnerable Apache Commons Collections InvokeTransformer class

Description

The InvokeTransformer class has known security vulnerabilities for versions of Apache Commons Collections older than 3.2.2; namely, the class is vulnerable to remote code execution when deserializing data.

Remediations

✅ Upgrade Apache Commons Collections 3 to version 3.2.2 or above

References

Associated CWE

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_apache_commons_collection

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_apache_commons_collection