CVE-2019-10086

HIGH

Apache Commons Beanutils 1.9.2 - Info Disclosure

Title source: llm

Description

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.

Exploits (1)

nomisec

by evilangelplus · poc

https://github.com/evilangelplus/CVE-2019-10086

View on nomisec

References (55)

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00007.html

[Various Sources] http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cC628798F-315D-4428-8CB1-4ED1ECC958E4%40apache.org%3e

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:4317

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0057

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0194

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0804

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0805

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0806

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0811

[Mailing List] https://lists.apache.org/thread.html/2fd61dc89df9aeab738d2b49f48d42c76f7d53b980ba04e1d48bce48%40%3Cdev.shiro.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/3d1ed1a1596c08c4d5fea97b36c651ce167b773f1afc75251ce7a125%40%3Ccommits.tinkerpop.apache.org%3E

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2019/08/msg00030.html

[Patch, Third Party Advisory] https://www.oracle.com//security-alerts/cpujul2021.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuApr2021.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2020.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2022.html

[Third Party Advisory] https://www.oracle.com/security-alerts/cpujan2020.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujan2021.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujan2022.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2020.html

... and 35 more

Scores

CVSS v3 7.3

EPSS 0.0124

EPSS Percentile 79.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Classification

CWE

CWE-502

Status published

Affected Products (50)

apache/commons_beanutils < 1.9.3

apache/nifi

apache/nifi

debian/debian_linux

opensuse/leap

opensuse/leap

fedoraproject/fedora

fedoraproject/fedora

redhat/enterprise_linux_desktop

redhat/enterprise_linux_eus

redhat/enterprise_linux_server

redhat/enterprise_linux_server_aus

redhat/enterprise_linux_server_tus

redhat/enterprise_linux_workstation

redhat/jboss_enterprise_application_platform

... and 35 more

Timeline

Published Aug 20, 2019

Tracked Since Feb 18, 2026