CVE-2019-10174

CWE-4707 documents6 sources

Severity

8.8HIGH

EPSS

0.9%

top 24.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Infinispan Infinispan [unknown] Infinispan Redhat Fuse +1 more

Timeline

PublishedNov 25

Latest updateMay 24

Description

A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

▶NVDinfinispan/infinispan9.0.0 — 9.4.17+1

▶Mavenorg.infinispan:infinispan-core9.0.0.Final — 9.4.17.Final+1

▶CVEListV5[unknown]/infinispan10.0.0.Final, 9.4.17.Final+1

▶NVDredhat/jboss_enterprise_application_platform7.2

▶NVDredhat/fuse1.0

🔴Vulnerability Details

GHSA

Use of Externally-Controlled Input to Select Classes or Code in Infinispan↗2022-05-24

▶

OSV

Use of Externally-Controlled Input to Select Classes or Code in Infinispan↗2022-05-24

▶

CVEList

CVE-2019-10174: A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to inv↗2019-11-25

▶

📋Vendor Advisories

Red Hat

infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods↗2019-11-14

▶

💬Community

Bugzilla

CVE-2019-10174 infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods [fedora-all]↗2019-11-19

▶

Bugzilla

CVE-2019-10174 infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods↗2019-04-26

▶