I have a question regarding com.sun.commons:beanutils:1.6.1-20070314
which is used transitively in
org.glassfish.metro:webservices-extra:2.3.1. I assume that these
beanutils are the same as the Apache commons beanutils version 1.6.1.
By now the apache commons beanutils are at version 1.9.2. Older
versions suffer from the CVE-2014-0114 vulnerability, which is quite
severe (CVSS v2 Base Score: 7.5 HIGH).
* Are you planning to update this outdated library?
* It is unclear whether the vulnerability is present this very old
version (1.6.1), but this library being older than the vulnerable ones
is not very comforting either.
* Is it possible to rule out that this vulnerability might be present
when using Metro?