ID |
CVE-2019-10086
|
Summary |
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean. |
References |
|
Vulnerable Configurations |
-
cpe:2.3:a:apache:commons_beanutils:1.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_beanutils:1.0:*:*:*:*:*:*:*
-
cpe:2.3:a:apache:commons_beanutils:1.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_beanutils:1.1:*:*:*:*:*:*:*
-
cpe:2.3:a:apache:commons_beanutils:1.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_beanutils:1.2:*:*:*:*:*:*:*
-
cpe:2.3:a:apache:commons_beanutils:1.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_beanutils:1.3:*:*:*:*:*:*:*
-
cpe:2.3:a:apache:commons_beanutils:1.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_beanutils:1.4:*:*:*:*:*:*:*
-
cpe:2.3:a:apache:commons_beanutils:1.4.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_beanutils:1.4.1:*:*:*:*:*:*:*
-
cpe:2.3:a:apache:commons_beanutils:1.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_beanutils:1.5:*:*:*:*:*:*:*
-
cpe:2.3:a:apache:commons_beanutils:1.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_beanutils:1.6:*:*:*:*:*:*:*
-
cpe:2.3:a:apache:commons_beanutils:1.6.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_beanutils:1.6.1:*:*:*:*:*:*:*
-
cpe:2.3:a:apache:commons_beanutils:1.7.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_beanutils:1.7.0:*:*:*:*:*:*:*
-
cpe:2.3:a:apache:commons_beanutils:1.8.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_beanutils:1.8.0:*:*:*:*:*:*:*
-
cpe:2.3:a:apache:commons_beanutils:1.8.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_beanutils:1.8.1:*:*:*:*:*:*:*
-
cpe:2.3:a:apache:commons_beanutils:1.8.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_beanutils:1.8.2:*:*:*:*:*:*:*
-
cpe:2.3:a:apache:commons_beanutils:1.8.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_beanutils:1.8.3:*:*:*:*:*:*:*
-
cpe:2.3:a:apache:commons_beanutils:1.9.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_beanutils:1.9.0:*:*:*:*:*:*:*
-
cpe:2.3:a:apache:commons_beanutils:1.9.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_beanutils:1.9.1:*:*:*:*:*:*:*
-
cpe:2.3:a:apache:commons_beanutils:1.9.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_beanutils:1.9.2:*:*:*:*:*:*:*
-
cpe:2.3:a:apache:commons_beanutils:1.9.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_beanutils:1.9.3:*:*:*:*:*:*:*
-
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
|
CVSS |
Base: | 7.5 (as of 24-12-2020 - 05:15) |
Impact: | |
Exploitability: | |
|
CWE |
CWE-502 |
CAPEC |
-
Object Injection
An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.
|
Access |
Vector | Complexity | Authentication |
NETWORK |
LOW |
NONE |
|
Impact |
Confidentiality | Integrity | Availability |
PARTIAL |
PARTIAL |
PARTIAL |
|
cvss-vector
via4
|
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
redhat
via4
|
|
refmap
via4
|
fedora | - FEDORA-2019-79b5790566
- FEDORA-2019-bcad44b5d6
| misc | | mlist | - [brooklyn-dev] 20200420 [GitHub] [brooklyn-server] duncangrant opened a new pull request #1091: Update library versions due to CVEs
- [commons-issues] 20190906 [jira] [Closed] (CONFIGURATION-755) [CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4.
- [commons-issues] 20190906 [jira] [Updated] (CONFIGURATION-755) [CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4.
- [commons-issues] 20190925 [GitHub] [commons-validator] jeff-schram opened a new pull request #18: Update pom.xml
- [debian-lts-announce] 20190824 [SECURITY] [DLA 1896-1] commons-beanutils security update
- [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities
- [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities
- [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities
- [shiro-dev] 20191001 [jira] [Commented] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fix
- [shiro-dev] 20191001 [jira] [Created] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fiix
- [shiro-dev] 20191001 [jira] [Updated] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fix
- [shiro-dev] 20191023 [jira] [Assigned] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fix
- [shiro-dev] 20191105 [jira] [Resolved] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fix
- [tinkerpop-commits] 20190829 [tinkerpop] branch master updated: Bump commons-beanutils to 1.9.4 for CVE-2019-10086 - CTR
- [www-announce] 20190815 [SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default.
| suse | openSUSE-SU-2019:2058 |
|
Last major update |
24-12-2020 - 05:15 |
Published |
20-08-2019 - 21:15 |
Last modified |
24-12-2020 - 05:15 |