CVE-2019-10086

high

Description

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.

References

http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%[email protected]%3e

https://lists.debian.org/debian-lts-announce/2019/08/msg00030.html

https://lists.apache.org/thread.html/[email protected]%3Ccommits.tinkerpop.apache.org%3E

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00007.html

https://lists.apache.org/thread.html/[email protected]%3Cissues.commons.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.commons.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.commons.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.shiro.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.shiro.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.shiro.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.drill.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.drill.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.drill.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.shiro.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.shiro.apache.org%3E

https://lists.fedoraproject.org/archives/list/[email protected]/message/JIUYSL2RSIWZVNSUIXJTIFPIPIF6OAIO/

https://lists.fedoraproject.org/archives/list/[email protected]/message/4APPGLBWMFAS4WHNLR4LIJ65DJGPV7TF/

https://access.redhat.com/errata/RHSA-2019:4317

https://access.redhat.com/errata/RHSA-2020:0057

https://www.oracle.com/security-alerts/cpujan2020.html

https://access.redhat.com/errata/RHSA-2020:0194

https://access.redhat.com/errata/RHSA-2020:0811

https://access.redhat.com/errata/RHSA-2020:0804

https://access.redhat.com/errata/RHSA-2020:0805

https://access.redhat.com/errata/RHSA-2020:0806

https://www.oracle.com/security-alerts/cpuapr2020.html

https://lists.apache.org/thread.html/[email protected]%3Cdev.brooklyn.apache.org%3E

https://www.oracle.com/security-alerts/cpujul2020.html

https://lists.apache.org/thread.html/[email protected]%3Cdev.atlas.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.atlas.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.atlas.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.atlas.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.atlas.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.atlas.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.atlas.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.atlas.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.rocketmq.apache.org%3E

https://www.oracle.com/security-alerts/cpujan2021.html

https://lists.apache.org/thread.html/[email protected]%3Ccommits.dolphinscheduler.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.dolphinscheduler.apache.org%3E

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com//security-alerts/cpujul2021.html

https://lists.apache.org/thread.html/[email protected]%3Cissues.nifi.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.nifi.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.nifi.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.nifi.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.nifi.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.nifi.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.nifi.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.nifi.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.nifi.apache.org%3E

https://www.oracle.com/security-alerts/cpuoct2021.html

https://www.oracle.com/security-alerts/cpujan2022.html

https://www.oracle.com/security-alerts/cpuapr2022.html

https://www.oracle.com/security-alerts/cpujul2022.html

Details

Source: MITRE

Published: 2019-08-20

Updated: 2022-07-25

Type: CWE-502

Risk Information

CVSS v2

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

CVSS v3

Base Score: 7.3

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Impact Score: 3.4

Exploitability Score: 3.9

Severity: HIGH