CVE-2019-10086

 

Published at: - 20-08-2019 11:15

Last modified: - 18-01-2023 07:21

Total changes: - 26

Description

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

 

Verification logic

 

Reference

• [www-announce] 20190815 [SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default.-Mailing List, Vendor Advisory
• [debian-lts-announce] 20190824 [SECURITY] [DLA 1896-1] commons-beanutils security update-Mailing List, Third Party Advisory
• [tinkerpop-commits] 20190829 [tinkerpop] branch master updated: Bump commons-beanutils to 1.9.4 for CVE-2019-10086 - CTR-Mailing List, Patch, Vendor Advisory
• openSUSE-SU-2019:2058-Mailing List, Third Party Advisory
• [commons-issues] 20190906 [jira] [Closed] (CONFIGURATION-755) [CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4.-Mailing List, Vendor Advisory
• [commons-issues] 20190906 [jira] [Updated] (CONFIGURATION-755) [CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4.-Mailing List, Vendor Advisory
• [commons-issues] 20190925 [GitHub] [commons-validator] jeff-schram opened a new pull request #18: Update pom.html-Mailing List, Vendor Advisory
• [shiro-dev] 20191001 [jira] [Created] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fiix-Mailing List, Vendor Advisory
• [shiro-dev] 20191001 [jira] [Updated] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fix-Mailing List, Vendor Advisory
• [shiro-dev] 20191001 [jira] [Commented] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fix-Mailing List, Vendor Advisory
• [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities-Mailing List, Vendor Advisory
• [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities-Mailing List, Vendor Advisory
• [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities-Mailing List, Vendor Advisory
• [shiro-dev] 20191023 [jira] [Assigned] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fix-Mailing List, Vendor Advisory
• [shiro-dev] 20191105 [jira] [Resolved] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fix-Mailing List, Vendor Advisory
• FEDORA-2019-79b5790566-Mailing List, Third Party Advisory
• FEDORA-2019-bcad44b5d6-Mailing List, Third Party Advisory
• RHSA-2019:4317-Third Party Advisory
• RHSA-2020:0057-Third Party Advisory
• https://www.oracle.com/security-alerts/cpujan2020.html
• RHSA-2020:0194-Third Party Advisory
• RHSA-2020:0811-Third Party Advisory
• RHSA-2020:0804-Third Party Advisory
• RHSA-2020:0805-Third Party Advisory
• RHSA-2020:0806-Third Party Advisory
• N/A-Patch, Third Party Advisory
• [brooklyn-dev] 20200420 [GitHub] [brooklyn-server] duncangrant opened a new pull request #1091: Update library versions due to CVEs-Mailing List, Vendor Advisory
• https://www.oracle.com/security-alerts/cpujul2020.html
• [atlas-dev] 20201022 [jira] [Created] (ATLAS-4002) Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086-Mailing List, Vendor Advisory
• [atlas-dev] 20201022 Re: Review Request 72983: ATLAS-4002 : Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086-Mailing List, Vendor Advisory
• [atlas-dev] 20201023 Re: Review Request 72983: ATLAS-4002 : Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086-Mailing List, Vendor Advisory
• [atlas-dev] 20201023 [jira] [Updated] (ATLAS-4002) Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086-Mailing List, Vendor Advisory
• [atlas-commits] 20201023 [atlas] 01/05: ATLAS-4002 : Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086-Mailing List, Patch, Vendor Advisory
• [atlas-dev] 20201023 [jira] [Commented] (ATLAS-4002) Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086-Mailing List, Vendor Advisory
• [atlas-dev] 20201026 [jira] [Updated] (ATLAS-4002) Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086-Mailing List, Vendor Advisory
• [atlas-dev] 20201023 [jira] [Commented] (ATLAS-4002) Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086-Mailing List, Vendor Advisory
• [rocketmq-dev] 20201223 [GitHub] [rocketmq] crazywen opened a new pull request #2515: Update pom.html-Mailing List, Vendor Advisory
• https://www.oracle.com/security-alerts/cpujan2021.html
• [dolphinscheduler-commits] 20210121 [GitHub] [incubator-dolphinscheduler] c-f-cooper commented on pull request #4525: [Improvement-4506][LICENSE] upgrade the version of the commons-beanutils-Mailing List, Vendor Advisory
• [dolphinscheduler-commits] 20210121 [GitHub] [incubator-dolphinscheduler] lgcareer commented on pull request #4525: [Improvement-4506][LICENSE] upgrade the version of the commons-beanutils-Mailing List, Vendor Advisory
• https://www.oracle.com/security-alerts/cpuApr2021.html
• N/A-Patch, Third Party Advisory
• [nifi-issues] 20210827 [jira] [Updated] (NIFI-9170) Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086-Mailing List, Vendor Advisory
• [nifi-issues] 20210827 [GitHub] [nifi] naddym opened a new pull request #5351: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086-Mailing List, Vendor Advisory
• [nifi-issues] 20210827 [jira] [Created] (NIFI-9170) Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086-Mailing List, Vendor Advisory
• [nifi-issues] 20210907 [GitHub] [nifi] MikeThomsen commented on pull request #5351: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086-Mailing List, Vendor Advisory
• [nifi-commits] 20210907 [nifi] branch main updated: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086 NIFI-9170 Add two more 1.9.4 references to close out the few things identified by the Maven dependency plugin.-Mailing List, Vendor Advisory
• [nifi-issues] 20210907 [jira] [Commented] (NIFI-9170) Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086-Mailing List, Vendor Advisory
• [nifi-issues] 20210907 [GitHub] [nifi] asfgit closed pull request #5351: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086-Mailing List, Vendor Advisory
• [nifi-issues] 20210908 [GitHub] [nifi] naddym commented on pull request #5351: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086-Mailing List, Vendor Advisory
• [nifi-issues] 20210915 [jira] [Updated] (NIFI-9170) Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086-Mailing List, Vendor Advisory
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://www.oracle.com/security-alerts/cpuapr2022.html
• N/A-

 

Keywords

NVD

 

CVE-2019-10086

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures