vulnerability
Red Hat JBoss EAP: CVE-2019-10086: Deserialization of Untrusted Data
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:N/C:P/I:P/A:P) | Aug 15, 2019 | Sep 19, 2024 | Jun 19, 2025 |
Severity
7
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
Aug 15, 2019
Added
Sep 19, 2024
Modified
Jun 19, 2025
Description
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.. A flaw was found in the Apache Commons BeanUtils, where the class property in PropertyUtilsBean is not suppressed by default. This flaw allows an attacker to access the classloader.
Solution
red-hat-jboss-eap-upgrade-latest
References
- CVE-2019-10086
- https://attackerkb.com/topics/CVE-2019-10086
- URL-https://access.redhat.com/security/cve/CVE-2019-10086
- URL-https://bugzilla.redhat.com/show_bug.cgi?id=1767483
- URL-https://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.4/RELEASE-NOTES.txt
- URL-https://access.redhat.com/errata/RHSA-2020:0804
- URL-https://access.redhat.com/errata/RHSA-2020:0805
- URL-https://access.redhat.com/errata/RHSA-2020:0806
- URL-https://access.redhat.com/errata/RHSA-2020:0811
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.