Background:
This is logged on the back of the discussion with the ZAP team about the current behaviour of XML External Entity Attack scanner. There were two concerns raised in this discussion. I am creating seperate tickets for them as they can be addressed independent of each other. F

Description

BeanUtils is a library that is doing automatic mapping to Java object.
It can cause arm when the attack controls part of the list of properties being sets. BeanUtils does not blacklist properties like class, classloader or other objects that are likely to load arbitrary classes and possibly run code.

Code

import org.apache.commons.beanutils.BeanUtils;

public

Summary

Dependabot has identified several security vulnerabilities in the 3rd party libraries Pacbot relies on. In most cases, these vulnerabilities can be resolved by upgrading the library to the most current version.

Maintainers, if you're internal to T-Mobile, you should have been seeing these security alerts coming in over the last several weeks. *Please respond to these in a timely ma

The current swagger definition is autogenerated. The automatically generated definitions rely on reflection and annotations to create the documentation. The reflection capabilities are poor at best and lead to missing API parameters. Annotations can help in some cases, but the only fix for Swagger is to create individual POJOs for every possible request. This will lead to unnecessary large number