Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypass…

Apache MINA's AbstractIoBuffer.resolveClass() method contains a security vulnerability where one code branch for static classes or primitive types bypasses the classname allowlist, allowing arbitrary code execution. The vulnerability affects Apache MINA versions 2.0.0-2.0.27, 2.1.0-2.1.10, and 2.2.0-2.2.5. Applications using Apache MINA that call IoBuffer.getObject() are affected. The issue is resolved in versions 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist check earlier in the process. Users are advised to upgrade to the patched versions.