From f641db31677082a20ec28a8147b43cbb0330501d Mon Sep 17 00:00:00 2001
From: Prudhvi Godithi <pgodithi@amazon.com>
Date: Thu, 7 Aug 2025 20:45:30 -0700
Subject: [PATCH 1/2] fix cve

Signed-off-by: Prudhvi Godithi <pgodithi@amazon.com>
---
 gradle/libs.versions.toml               | 1 +
 plugins/identity-shiro/build.gradle     | 2 +-
 test/fixtures/hdfs-fixture/build.gradle | 6 ++++++
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index 24f128885f457..eb3a641914e2c 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -29,6 +29,7 @@ tdigest           = "3.3"
 hdrhistogram      = "2.2.2"
 grpc              = "1.68.2"
 json_smart        = "2.5.2"
+commons_beanutils  = "1.11.0"
 
 # when updating the JNA version, also update the version in buildSrc/build.gradle
 jna               = "5.16.0"
diff --git a/plugins/identity-shiro/build.gradle b/plugins/identity-shiro/build.gradle
index f72155e1d28b2..e67029b8167d6 100644
--- a/plugins/identity-shiro/build.gradle
+++ b/plugins/identity-shiro/build.gradle
@@ -22,7 +22,7 @@ dependencies {
   // Needed for shiro
   implementation "org.slf4j:slf4j-api:${versions.slf4j}"
 
-  implementation 'commons-beanutils:commons-beanutils:1.11.0'
+  implementation "commons-beanutils:commons-beanutils:${versions.commons_beanutils}"
   implementation 'commons-logging:commons-logging:1.2'
   implementation 'commons-lang:commons-lang:2.6'
 
diff --git a/test/fixtures/hdfs-fixture/build.gradle b/test/fixtures/hdfs-fixture/build.gradle
index 58b26e38a92f8..79f68507fb971 100644
--- a/test/fixtures/hdfs-fixture/build.gradle
+++ b/test/fixtures/hdfs-fixture/build.gradle
@@ -36,6 +36,12 @@ versions << [
   'jetty': '9.4.57.v20241219'
 ]
 
+configurations.all {
+  resolutionStrategy {
+    force "commons-beanutils:commons-beanutils:${versions.commons_beanutils}"
+  }
+}
+
 dependencies {
   api("org.apache.hadoop:hadoop-minicluster:3.4.1") {
     exclude module: 'websocket-client'

From ec47b26600e041efb9ea658f30eba275bbf9fece Mon Sep 17 00:00:00 2001
From: Prudhvi Godithi <pgodithi@amazon.com>
Date: Thu, 7 Aug 2025 21:23:34 -0700
Subject: [PATCH 2/2] Update changelog

Signed-off-by: Prudhvi Godithi <pgodithi@amazon.com>
---
 CHANGELOG.md                                    | 2 +-
 release-notes/opensearch.release-notes-3.2.0.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 14a9bab4ba04e..d22068d5c5ded 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -93,7 +93,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Bump `com.azure:azure-storage-common` from 12.29.0 to 12.29.1 ([#18742](https://github.com/opensearch-project/OpenSearch/pull/18742))
 - Bump `org.apache.commons:commons-lang3` from 3.17.0 to 3.18.0 ([#18745](https://github.com/opensearch-project/OpenSearch/pull/18745)), ([#18955](https://github.com/opensearch-project/OpenSearch/pull/18955))
 - Bump `com.nimbusds:nimbus-jose-jwt` from 10.2 to 10.4 ([#18759](https://github.com/opensearch-project/OpenSearch/pull/18759), [#18804](https://github.com/opensearch-project/OpenSearch/pull/18804))
-- Bump `commons-beanutils:commons-beanutils` from 1.9.4 to 1.11.0 ([#18401](https://github.com/opensearch-project/OpenSearch/issues/18401))
+- Bump `commons-beanutils:commons-beanutils` from 1.9.4 to 1.11.0 ([#18401](https://github.com/opensearch-project/OpenSearch/issues/18401)), ([#18984](https://github.com/opensearch-project/OpenSearch/issues/18984))
 - Bump `org.xerial.snappy:snappy-java` from 1.1.10.7 to 1.1.10.8 ([#18803](https://github.com/opensearch-project/OpenSearch/pull/18803))
 - Bump `org.ajoberstar.grgit:grgit-core` from 5.2.1 to 5.3.2 ([#18935](https://github.com/opensearch-project/OpenSearch/pull/18935))
 - Bump `org.apache.kafka:kafka-clients` from 3.8.1 to 3.9.1 ([#18935](https://github.com/opensearch-project/OpenSearch/pull/18935))
diff --git a/release-notes/opensearch.release-notes-3.2.0.md b/release-notes/opensearch.release-notes-3.2.0.md
index ed2d9e4fa4b19..7b212692767dd 100644
--- a/release-notes/opensearch.release-notes-3.2.0.md
+++ b/release-notes/opensearch.release-notes-3.2.0.md
@@ -87,7 +87,7 @@ Compatible with OpenSearch and OpenSearch Dashboards version 3.2.0
 * Bump `com.azure:azure-storage-common` from 12.29.0 to 12.29.1 ([#18742](https://github.com/opensearch-project/OpenSearch/pull/18742))
 * Bump `org.apache.commons:commons-lang3` from 3.17.0 to 3.18.0 ([#18745](https://github.com/opensearch-project/OpenSearch/pull/18745)), ([#18955](https://github.com/opensearch-project/OpenSearch/pull/18955))
 * Bump `com.nimbusds:nimbus-jose-jwt` from 10.2 to 10.4 ([#18759](https://github.com/opensearch-project/OpenSearch/pull/18759), [#18804](https://github.com/opensearch-project/OpenSearch/pull/18804))
-* Bump `commons-beanutils:commons-beanutils` from 1.9.4 to 1.11.0 ([#18401](https://github.com/opensearch-project/OpenSearch/issues/18401))
+* Bump `commons-beanutils:commons-beanutils` from 1.9.4 to 1.11.0 ([#18401](https://github.com/opensearch-project/OpenSearch/issues/18401)), ([#18984](https://github.com/opensearch-project/OpenSearch/issues/18984))
 * Bump `org.xerial.snappy:snappy-java` from 1.1.10.7 to 1.1.10.8 ([#18803](https://github.com/opensearch-project/OpenSearch/pull/18803))
 * Bump `org.ajoberstar.grgit:grgit-core` from 5.2.1 to 5.3.2 ([#18935](https://github.com/opensearch-project/OpenSearch/pull/18935))
 * Bump `org.apache.kafka:kafka-clients` from 3.8.1 to 3.9.1 ([#18935](https://github.com/opensearch-project/OpenSearch/pull/18935))