Apache Commons – Apache Commons Reporting Security Problems

<!DOCTYPE html>  <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta name="author" content="Commons Documentation Team" /> <meta name="Date-Revision-yyyymmdd" content="20250214" /> <meta http-equiv="Content-Language" content="en" /> <title>Apache Commons – Apache Commons Reporting Security Problems</title> <link rel="stylesheet" href="./css/bootstrap.min.css" type="text/css" /> <link rel="stylesheet" href="./css/site.css" type="text/css" /> <link rel="stylesheet" href="./css/print.css" media="print" /> <script type="text/javascript" src="./js/jquery.min.js"></script> <script type="text/javascript" src="./js/bootstrap.min.js"></script> <script type="text/javascript" src="./js/prettify.min.js"></script> <script type="text/javascript" src="./js/site.js"></script> </head> <body class="composite"> <a href="./" id="bannerLeft" title="Apache Commons logo"> <img class="logo-left" src="images/commons-logo.png" alt="Apache Commons logo"/> </a> <div class="clear"></div> <div class="navbar"> <div class="navbar-inner"> <div class="container-fluid"> <a class="brand" href="https://commons.apache.org/">Apache Commons ™</a> <ul class="nav"> <li id="publishDate">Last Published: 14 February 2025</li> <li class="divider">|</li> <li id="projectVersion">Version: unspecified</li> </ul> <div class="pull-right"> <ul class="nav"> <li> <a href="components.html" title="Components"> Components</a> </li> <li> <a href="sandbox.html" title="Sandbox"> Sandbox</a> </li> <li> <a href="dormant.html" title="Dormant"> Dormant</a> </li> <li> <a href="https://www.apachecon.com/" class="externalLink" title="ApacheCon"> ApacheCon</a> </li> <li> <a href="https://www.apache.org" class="externalLink" title="Apache"> Apache</a> </li> </ul> </div> </div> </div> </div> <div class="container-fluid"> <table class="layout-table"> <tr> <td class="sidebar"> <div class="well sidebar-nav"> <ul class="nav nav-list"> <li class="nav-header">Commons</li> <li class="none"> <a href="index.html" title="Home"> Home</a> </li> <li class="none"> <a href="https://www.apache.org/licenses/" class="externalLink" title="License"> License</a> </li> <li class="none"> <a href="mail-lists.html" title="Mailing Lists"> Mailing Lists</a> </li> <li class="none"> <a href="team.html" title="PMC"> PMC</a> </li> <li class="collapsed"> <a href="components.html" title="Components"> Components</a> </li> <li class="collapsed"> <a href="sandbox.html" title="Sandbox"> Sandbox</a> </li> <li class="collapsed"> <a href="dormant.html" title="Dormant"> Dormant</a> </li> </ul> <ul class="nav nav-list"> <li class="nav-header">Releases</li> <li class="none"> <a href="downloads/index.html" title="Releases"> Releases</a> </li> </ul> <ul class="nav nav-list"> <li class="nav-header">Source Repositories</li> <li class="none"> <a href="scminfo.html" title="General Information"> General Information</a> </li> <li class="none"> <a href="https://svn.apache.org/viewvc/commons/sandbox/" class="externalLink" title="Sandbox"> Sandbox</a> </li> <li class="none"> <a href="https://svn.apache.org/viewvc/commons/dormant/" class="externalLink" title="Dormant"> Dormant</a> </li> </ul> <ul class="nav nav-list"> <li class="nav-header">General Information</li> <li class="none active"> <a href="security.html" title="Security"> Security</a> </li> <li class="none"> <a href="volunteering.html" title="Volunteering"> Volunteering</a> </li> <li class="none"> <a href="patches.html" title="Contributing Patches"> Contributing Patches</a> </li> <li class="none"> <a href="building.html" title="Building Components"> Building Components</a> </li> <li class="none"> <a href="commons-parent" title="Commons Parent POM"> Commons Parent POM</a> </li> <li class="none"> <a href="build-plugin/index.html" title="Commons Build Plugin"> Commons Build Plugin</a> </li> <li class="none"> <a href="release-plugin/index.html" title="Commons Release Plugin"> Commons Release Plugin</a> </li> <li class="none"> <a href="site-publish.html" title="Site Publication"> Site Publication</a> </li> <li class="none"> <a href="releases/index.html" title="Releasing Components"> Releasing Components</a> </li> <li class="none"> <a href="https://cwiki.apache.org/confluence/display/COMMONS/FrontPage" class="externalLink" title="Wiki"> Wiki</a> </li> </ul> <ul class="nav nav-list"> <li class="nav-header">ASF</li> <li class="none"> <a href="https://www.apache.org/foundation/how-it-works.html" class="externalLink" title="How the ASF works"> How the ASF works</a> </li> <li class="none"> <a href="https://www.apache.org/foundation/getinvolved.html" class="externalLink" title="Get Involved"> Get Involved</a> </li> <li class="none"> <a href="https://www.apache.org/dev/" class="externalLink" title="Developer Resources"> Developer Resources</a> </li> <li class="none"> <a href="https://www.apache.org/foundation/policies/conduct.html" class="externalLink" title="Code of Conduct"> Code of Conduct</a> </li> <li class="none"> <a href="https://privacy.apache.org/policies/privacy-policy-public.html" class="externalLink" title="Privacy"> Privacy</a> </li> <li class="none"> <a href="https://www.apache.org/foundation/sponsorship.html" class="externalLink" title="Sponsorship"> Sponsorship</a> </li> <li class="none"> <a href="https://www.apache.org/foundation/thanks.html" class="externalLink" title="Thanks"> Thanks</a> </li> </ul> </div> <div id="poweredBy"> <a href="https://www.apache.org/events/current-event.html" title="ApacheCon" class="builtBy"> <img class="builtBy" alt="ApacheCon" src="https://www.apache.org/events/current-event-125x125.png" /> </a> <a href="https://maven.apache.org/" title="Maven" class="builtBy"> <img class="builtBy" alt="Maven" src="https://maven.apache.org/images/logos/maven-feather.png" /> </a> </div> </td> <td class="content"> <section> <h2><a name="Reporting_New_Security_Problems_with_Apache_Commons_Components"></a>Reporting New Security Problems with Apache Commons Components</h2> <p>The Apache Software Foundation takes a very active stance in eliminating security problems and denial of service attacks against its products.</p> <p>We strongly encourage folks to report such problems to our private security mailing list first, before disclosing them in a public forum.</p> <p>Please note that the security mailing list should only be used for reporting undisclosed security vulnerabilities and managing the process of fixing such vulnerabilities. We cannot accept regular bug reports or other queries at this address. All mail sent to this address that does not relate to an undisclosed security problem in our source code will be ignored.</p> <p>If you need to report a bug that isn't an undisclosed security vulnerability, please use the <a href="patches.html#Submitting_A_Patch">bug reporting page</a>.</p> <p>The private security mailing address is: <a class="externalLink" href="mailto:security@commons.apache.org">security@commons.apache.org</a></p> </section> <section> <h2><a name="Asking_Questions_About_Known_Security_Problems"></a>Asking Questions About Known Security Problems</h2> <p>Questions about:</p> <ul> <li>if a vulnerability applies to your particular application</li> <li>obtaining further information on a published vulnerability</li> <li>availability of patches and/or new releases</li> </ul> <p>should be addressed to the users mailing list. Please see the <a href="mail-lists.html">mailing lists page</a> for details of how to subscribe.</p> </section> <section> <h2><a name="Security_Model"></a>Security Model</h2> <p> The Commons libraries are low-level libraries typically designed to work with input that is either trusted or validated/sanitized by the application using the library. It is unsafe to provide possibly malicious input to Commons libraries unless otherwise specified.</p> <p> We consider calls to the Commons API subject to the same caveat as the JDK, those calls will usually do what the caller asks. Whether it is "dangerous" depends on the (application) context. Therefore, don't report a behavior as a Commons component's vulnerability if the same behavior would be considered legitimate for the JDK. We welcome suggestions for hardening the code base. </p> </section> <section> <h2><a name="Known_Security_Vulnerabilities"></a>Known Security Vulnerabilities</h2> <p>Known security vulnerabilities fixed in released versions of Apache Commons components are listed in specific pages for each component.</p> <ul> <li><a class="externalLink" href="https://commons.apache.org/proper/commons-bcel/security.html">Apache Commons BCEL Security Vulnerabilities</a></li> <li><a class="externalLink" href="https://commons.apache.org/proper/commons-collections/security-reports.html#Apache_Commons_Collections_Security_Vulnerabilities">Apache Commons Collections Security Vulnerabilities</a></li> <li><a class="externalLink" href="https://commons.apache.org/proper/commons-compress/security.html#Apache_Commons_Compress_Security_Vulnerabilities">Apache Commons Compress Security Vulnerabilities</a></li> <li><a class="externalLink" href="https://commons.apache.org/proper/commons-configuration/security.html">Apache Commons Configuration Security Vulnerabilities</a></li> <li><a class="externalLink" href="https://commons.apache.org/proper/commons-crypto/security.html">Apache Commons Crypto Security Vulnerabilities</a></li> <li><a class="externalLink" href="https://commons.apache.org/proper/commons-email/security-reports.html#Apache_Commons_Email_Security_Vulnerabilities">Apache Commons Email Security Vulnerabilities</a></li> <li><a class="externalLink" href="https://commons.apache.org/proper/commons-fileupload/security-reports.html#Apache_Commons_FileUpload_Security_Vulnerabilities">Apache Commons FileUpload Security Vulnerabilities</a></li> <li><a class="externalLink" href="https://commons.apache.org/proper/commons-net/security.html">Apache Commons NET Security Vulnerabilities</a></li> <li><a class="externalLink" href="https://commons.apache.org/proper/commons-text/security.html">Apache Commons Text Security Vulnerabilities</a></li> </ul> <p>If you have encountered an unlisted security vulnerability or other unexpected behavior that has security impact, or if the descriptions in one of the pages are incomplete, please report them privately to the Apache Security Team. Thank you.</p> </section> <section> <h2><a name="Errors_and_Omissions"></a>Errors and Omissions</h2> <p>Please report any errors or omissions to <a href="mail-lists.html">the dev mailing list</a>.</p> </section> </td> </tr> </table> </div> <div class="footer"> <p>Copyright © 2025 <a href="https://www.apache.org/">The Apache Software Foundation</a>. All Rights Reserved.</p> <?xml version="1.0" encoding="UTF-8"?> <div class="center">Apache Commons, Apache, the Apache feather logo, and the Apache Commons project logos are trademarks of The Apache Software Foundation. All other marks mentioned may be trademarks or registered trademarks of their respective owners.</div> </div> </body> </html>

CINXE.COM

Apache Commons – Apache Commons Reporting Security Problems