CVE-2019-10086 – commons-beanutils:commons-beanutils

Package

Manager: maven
Name: commons-beanutils:commons-beanutils
Vulnerable Version: >=0 <1.9.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00262 pctl0.49368

Details

Insecure Deserialization in Apache Commons Beanutils In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.

Metadata

Created: 2020-06-15T20:36:17Z
Modified: 2022-02-08T22:07:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6phf-73q6-gh87/GHSA-6phf-73q6-gh87.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-6phf-73q6-gh87
Finding: F096
Auto approve: 1