Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypass…

Apache MINA's AbstractIoBuffer.resolveClass() method contains a vulnerability that bypasses classname allowlist validation in one code branch for static classes or primitive types, allowing arbitrary code execution. The vulnerability affects applications using Apache MINA that call IoBuffer.getObject(). Affected versions include Apache MINA 2.0.0-2.0.27, 2.1.0-2.1.10, and 2.2.0-2.2.5. The issue is resolved in versions 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist filter earlier in the process before calling Class.forName(). Organizations using affected Apache MINA versions are advised to upgrade immediately.