What is CVE-2019-10086?

CVE-2019-10086 is a high-severity vulnerability in Apache Commons Beanutils, classified under Deserialization of Untrusted Data. CVSS score: 7.3/10. Published 2019-08-20.

How severe is CVE-2019-10086?

High severity. CVSS v3 base score is 7.3 out of 10.

Is CVE-2019-10086 known to be exploited?

27 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Deserialization in Apache Commons Beanutils

CVE-2019-10086

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using t…

Vulnerability class: Insecure Deserialization

EPSS: 0.288 (97.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.3 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L.

Affected products

Apache Commons Beanutils — versions Apache Commons Beanutils 1.0 to 1.9.3
Apache Commons_beanutils
Apache Nifi — versions 1.14.0, 1.15.0
Oracle Agile_plm — versions 9.3.3, 9.3.5, 9.3.6
Oracle Agile_product_lifecycle_management_integration_pack — versions 3.5, 3.6
Oracle Application_testing_suite — versions 13.3.0.1
Oracle Banking_platform — versions 2.4.0, 2.7.1, 2.9.0
Oracle Blockchain_platform
Oracle Communications_billing_and_revenue_management — versions 7.5, 12.0.0.3.0
Oracle Communications_billing_and_revenue_management_elastic_charging_engine — versions 11.3.0.9, 12.0.0.3

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

Public proof-of-concept exploits

References

security@apache.org (mailing-list, x_refsource_MLIST)
security@apache.org (mailing-list, x_refsource_MLIST, Mailing List, Third Party Advisory)
security@apache.org (mailing-list, x_refsource_MLIST)
security@apache.org (vendor-advisory, Mailing List, Third Party Advisory, x_refsource_SUSE)
security@apache.org (mailing-list, x_refsource_MLIST)
security@apache.org (mailing-list, x_refsource_MLIST)
security@apache.org (mailing-list, x_refsource_MLIST)
security@apache.org (mailing-list, x_refsource_MLIST)
security@apache.org (mailing-list, x_refsource_MLIST)
security@apache.org (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2019-10086?: CVE-2019-10086 is a high-severity vulnerability in Apache Commons Beanutils, classified under Deserialization of Untrusted Data. CVSS score: 7.3/10. Published 2019-08-20.
How severe is CVE-2019-10086?: High severity. CVSS v3 base score is 7.3 out of 10.
Is CVE-2019-10086 known to be exploited?: 27 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.