CVE-2019-10086

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.

References

http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%[email protected]%3e

https://lists.debian.org/debian-lts-announce/2019/08/msg00030.html

https://lists.apache.org/thread.html/[email protected]%3Ccommits.tinkerpop.apache.org%3E

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00007.html

https://lists.apache.org/thread.html/[email protected]%3Cissues.commons.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.commons.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.commons.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.shiro.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.shiro.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.shiro.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.drill.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.drill.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.drill.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.shiro.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.shiro.apache.org%3E

https://lists.fedoraproject.org/archives/list/[email protected]/message/JIUYSL2RSIWZVNSUIXJTIFPIPIF6OAIO/

https://lists.fedoraproject.org/archives/list/[email protected]/message/4APPGLBWMFAS4WHNLR4LIJ65DJGPV7TF/

https://access.redhat.com/errata/RHSA-2019:4317

https://access.redhat.com/errata/RHSA-2020:0057

https://www.oracle.com/security-alerts/cpujan2020.html

https://access.redhat.com/errata/RHSA-2020:0194

https://access.redhat.com/errata/RHSA-2020:0811

https://access.redhat.com/errata/RHSA-2020:0804

https://access.redhat.com/errata/RHSA-2020:0805

https://access.redhat.com/errata/RHSA-2020:0806

https://www.oracle.com/security-alerts/cpuapr2020.html

https://lists.apache.org/thread.html/[email protected]%3Cdev.brooklyn.apache.org%3E

https://www.oracle.com/security-alerts/cpujul2020.html

https://lists.apache.org/thread.html/[email protected]%3Cdev.atlas.apache.org%3E

https://lists.apache.org/thread.html/reee57101464cf7622d640ae013b2162eb864f603ec4093de8240bb8f@%3Cdev.atlas.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.atlas.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.atlas.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.atlas.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.atlas.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.atlas.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.atlas.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.rocketmq.apache.org%3E

https://www.oracle.com/security-alerts/cpujan2021.html

https://lists.apache.org/thread.html/[email protected]%3Ccommits.dolphinscheduler.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.dolphinscheduler.apache.org%3E

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com//security-alerts/cpujul2021.html

https://lists.apache.org/thread.html/[email protected]%3Cissues.nifi.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.nifi.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.nifi.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.nifi.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.nifi.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.nifi.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.nifi.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.nifi.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.nifi.apache.org%3E

https://www.oracle.com/security-alerts/cpuoct2021.html

Details

Source: MITRE

Published: 2019-08-20

Updated: 2021-10-20

Type: CWE-502

Risk Information

CVSS v2

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

CVSS v3

Base Score: 7.3

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Impact Score: 3.4

Exploitability Score: 3.9

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:apache:nifi:1.15.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:nifi:1.14.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:commons_beanutils:*:*:*:*:*:*:*:* versions from 1.0 to 1.9.3 (inclusive)

Configuration 2

OR

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*

Configuration 5

OR

cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_eus:7.7:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*

Configuration 6

AND

OR

cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*

OR

cpe:2.3:o:redhat:enterprise_linux_server:8.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*

Configuration 7

OR

cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:agile_product_lifecycle_management_integration_pack:3.5:*:*:*:*:e-business_suite:*:*

cpe:2.3:a:oracle:agile_product_lifecycle_management_integration_pack:3.5:*:*:*:*:sap:*:*

cpe:2.3:a:oracle:agile_product_lifecycle_management_integration_pack:3.6:*:*:*:*:e-business_suite:*:*

cpe:2.3:a:oracle:agile_product_lifecycle_management_integration_pack:3.6:*:*:*:*:sap:*:*

cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:11.3.0.9:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0.0.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_cloud_native_core_console:1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.9.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.6.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_metasolv_solution:6.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_metasolv_solution:6.3.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_performance_intelligence_center:10.4.0.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.4.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:fusion_middleware:11.1.1.9:*:*:*:*:*:*:*

cpe:2.3:a:oracle:fusion_middleware:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:fusion_middleware:12.2.1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:healthcare_foundation:7.1.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:healthcare_foundation:7.2.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:healthcare_foundation:7.3.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:healthcare_foundation:8.0.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hospitality_opera_5:5.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hospitality_opera_5:5.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:insurance_data_gateway:1.0.2.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:9.2.5.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.5.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.56:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.57:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.58:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from 16.2.0 to 16.2.11 (inclusive)

cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from 17.12.0 to 17.12.6 (inclusive)

cpe:2.3:a:oracle:real-time_decisions_solutions:3.2.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_advanced_inventory_planning:14.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_merchandising_system:5.0.3.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_predictive_application_server:16.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_price_management:14.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_price_management:14.0.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_price_management:15.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_price_management:16.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:service_bus:11.1.1.9.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:service_bus:12.2.1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:solaris_cluster:4.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:* versions from 4.3.0.1.0 to 4.3.0.6.0 (inclusive)

cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*

Tenable Plugins

View all (27 total)

IDNameProductFamilySeverity
152043Oracle Application Testing Suite (Jul 2021 CPU)NessusMisc.
high
148952Oracle E-Business Suite Multiple Vulnerabilities (April 2021 CPU)NessusMisc.
high
148924Oracle WebLogic Server Multiple Vulnerabilities (Apr 2021 CPU)NessusMisc.
critical
146048Oracle WebCenter Portal Multiple Vulnerabilities (Jan 2021 CPU)NessusMisc.
critical
145569Oracle Primavera Unifier (Jan 2021 CPU)NessusCGI abuses
critical
145538Oracle MySQL Enterprise Monitor Multiple Vulnerabilities (Jan 2021 CPU)NessusCGI abuses
high
145264Oracle WebLogic Server Multiple Vulnerabilities (Jan 2021 CPU)NessusMisc.
critical
144009NewStart CGSL CORE 5.05 / MAIN 5.05 : apache-commons-beanutils Vulnerability (NS-SA-2020-0100)NessusNewStart CGSL Local Security Checks
high
141853IBM WebSphere Application Server 7.0.0.x <= 7.0.0.45 / 8.0.0.x <= 8.0.0.15 / 8.5.x < 8.5.5.17 / 9.0.x < 9.0.5.2 Beanutils Vulnerability (CVE-2019-10086)NessusWeb Servers
high
138528Oracle Database Server Multiple Vulnerabilities (Jul 2020 CPU)NessusDatabases
critical
137775RHEL 7 : candlepin and satellite (RHSA-2020:2740)NessusRed Hat Local Security Checks
high
136038RHEL 7 : Satellite 6.7 release. (Important) (RHSA-2020:1454)NessusRed Hat Local Security Checks
high
135583Oracle Primavera Gateway (Apr 2020 CPU)NessusCGI abuses
critical
135185RHEL 7 : Red Hat Virtualization Engine security, bug fix 4.3.9 (Low) (RHSA-2020:1308)NessusRed Hat Local Security Checks
high
134614RHEL 8 : Red Hat JBoss Enterprise Application Platform 7.2.7 on RHEL 8 (RHSA-2020:0806)NessusRed Hat Local Security Checks
high
134613RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.2.7 on RHEL 7 (RHSA-2020:0805)NessusRed Hat Local Security Checks
high
134612RHEL 6 : Red Hat JBoss Enterprise Application Platform 7.2.7 on RHEL 6 (RHSA-2020:0804)NessusRed Hat Local Security Checks
high
134324NewStart CGSL CORE 5.04 / MAIN 5.04 : apache-commons-beanutils Vulnerability (NS-SA-2020-0011)NessusNewStart CGSL Local Security Checks
high
133867Amazon Linux 2 : apache-commons-beanutils (ALAS-2020-1395)NessusAmazon Linux Local Security Checks
high
133310CentOS 7 : apache-commons-beanutils (CESA-2020:0194)NessusCentOS Local Security Checks
high
133192Scientific Linux Security Update : apache-commons-beanutils on SL7.x (noarch) (20200121)NessusScientific Linux Local Security Checks
high
133182Oracle Linux 7 : apache-commons-beanutils (ELSA-2020-0194)NessusOracle Linux Local Security Checks
high
133165RHEL 7 : apache-commons-beanutils (RHSA-2020:0194)NessusRed Hat Local Security Checks
high
130990Fedora 31 : apache-commons-beanutils (2019-bcad44b5d6)NessusFedora Local Security Checks
high
130988Fedora 30 : apache-commons-beanutils (2019-79b5790566)NessusFedora Local Security Checks
high
128464openSUSE Security Update : apache-commons-beanutils (openSUSE-2019-2058)NessusSuSE Local Security Checks
high
128123Debian DLA-1896-1 : commons-beanutils security updateNessusDebian Local Security Checks
high