Skip to main content

Java CVE-2019-10086

HIGH
Deserialization of Untrusted Data (CWE-502)
2019-08-20 security@apache.org
Java Apache Deserialization Commons Beanutils Nifi Debian Linux Leap Fedora Enterprise Linux Desktop Enterprise Linux Eus Enterprise Linux Server Enterprise Linux Server Aus Enterprise Linux Server Tus Enterprise Linux Workstation Jboss Enterprise Application Platform Agile Plm Agile Product Lifecycle Management Integration Pack Application Testing Suite Banking Platform Blockchain Platform Communications Billing And Revenue Management Communications Billing And Revenue Management Elastic Charging Engine Communications Cloud Native Core Console Communications Cloud Native Core Policy Communications Cloud Native Core Unified Data Repository Communications Convergence Communications Design Studio Communications Evolved Communications Application Server Communications Metasolv Solution Communications Network Integrity Communications Performance Intelligence Center Communications Pricing Design Center Communications Unified Inventory Management Customer Management And Segmentation Foundation Enterprise Manager For Virtualization Financial Services Revenue Management And Billing Analytics Flexcube Private Banking Fusion Middleware Healthcare Foundation Hospitality Opera 5 Hospitality Reporting And Analytics Insurance Data Gateway Jd Edwards Enterpriseone Orchestrator Jd Edwards Enterpriseone Tools Peoplesoft Enterprise Peopletools Peoplesoft Enterprise Pt Peopletools Primavera Gateway Real Time Decisions Solutions Retail Advanced Inventory Planning Retail Back Office Retail Central Office Retail Invoice Matching Retail Merchandising System Retail Point Of Service Retail Predictive Application Server Retail Price Management Retail Returns Management Retail Xstore Point Of Service Service Bus Solaris Cluster Time And Labor Utilities Framework Weblogic Server
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
CVE Published
Aug 20, 2019 - 21:15 nvd
HIGH 7.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 19,024 maven packages depend on commons-beanutils:commons-beanutils (2,350 direct, 16,776 indirect)

Ecosystem-wide dependent count for version 1.9.4.

DescriptionNVD

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.

AnalysisAI

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Technical ContextAI

This vulnerability is classified as Deserialization of Untrusted Data (CWE-502), which allows attackers to execute arbitrary code through malicious serialized objects. In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean. Affected products include: Apache Commons Beanutils, Apache Nifi, Debian Debian Linux, Opensuse Leap, Fedoraproject Fedora.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Avoid deserializing untrusted data. Use safe serialization formats (JSON). Implement integrity checks and type allowlists.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2019-10086 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy