This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
DefaultTyping is disabled, polymorphism with default typing or manual setting by property are not used in NBI.
Beanutils is ONLY manipulated for outgoing serialization purpose, to filter json node to populate http response with json.
Beanutils is not used on input data or exposed as is to external client
Note: 1.9.3 is the latest released but still not fix the listed vulnerability.
We tried to use some other frameworks but only beanutils has some key features we can not miss, to filter json response data. Avoiding commonsbenanutils means an important re write of the code.
Used by the sdc-tosca parser. NBI uses sdc tosca parser without any input parameters provided through the NBI API.