Infinispan
CVE-2019-10174
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1Blast Radius
ecosystem impact- 63 maven packages depend on org.infinispan:infinispan-core (50 direct, 13 indirect)
Ecosystem-wide dependent count for version 9.0.0.Final.
DescriptionNVD
A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.
AnalysisAI
A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-470. A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application. Affected products include: Infinispan, Redhat Fuse, Redhat Jboss Data Grid, Redhat Jboss Enterprise Application Platform, Redhat Openshift Application Runtimes.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Infinispan
View allInfinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurat
A flaw was found in Infinispan, which does not detect circular object references when unmarshalling. Rated medium severi
A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permission
A flaw was found in Infinispan's REST. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low
A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server
A flaw was found in Infinispan CLI. A sensitive password, decoded from a Base64-encoded Kubernetes secret, is processed
A flaw was found in Infinispan. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack co
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today