CVE-2019-10086

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2019-10086
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2019-08-20 21:15:00 UTC
Updated2023-11-07 03:02:00 UTC
DescriptionIn Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.

Risk And Classification

Problem Types: CWE-502

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Apache Commons Beanutils All All All All
Application Apache Nifi 1.14.0 All All All
Application Apache Nifi 1.15.0 All All All
Operating System Debian Debian Linux 8.0 All All All
Operating System Debian Debian Linux 8.0 All All All
Operating System Fedoraproject Fedora 30 All All All
Operating System Fedoraproject Fedora 31 All All All
Operating System Fedoraproject Fedora 30 All All All
Operating System Fedoraproject Fedora 31 All All All
Operating System Opensuse Leap 15.0 All All All
Operating System Opensuse Leap 15.1 All All All
Operating System Opensuse Leap 15.0 All All All
Operating System Opensuse Leap 15.1 All All All
Application Oracle Agile Plm 9.3.3 All All All
Application Oracle Agile Plm 9.3.5 All All All
Application Oracle Agile Plm 9.3.6 All All All
Application Oracle Agile Product Lifecycle Management Integration Pack 3.5 All All All
Application Oracle Agile Product Lifecycle Management Integration Pack 3.5 All All All
Application Oracle Agile Product Lifecycle Management Integration Pack 3.6 All All All
Application Oracle Agile Product Lifecycle Management Integration Pack 3.6 All All All
Application Oracle Application Testing Suite 13.3.0.1 All All All
Application Oracle Banking Platform 2.4.0 All All All
Application Oracle Banking Platform 2.7.1 All All All
Application Oracle Banking Platform 2.9.0 All All All
Application Oracle Blockchain Platform All All All All
Application Oracle Communications Billing And Revenue Management 12.0.0.3.0 All All All
Application Oracle Communications Billing And Revenue Management 7.5 All All All
Application Oracle Communications Billing And Revenue Management Elastic Charging Engine 11.3.0.9 All All All
Application Oracle Communications Billing And Revenue Management Elastic Charging Engine 12.0.0.3 All All All
Application Oracle Communications Billing And Revenue Management Elastic Charging Engine 11.3.0.9 All All All
Application Oracle Communications Billing And Revenue Management Elastic Charging Engine 12.0.0.3 All All All
Application Oracle Communications Cloud Native Core Console 1.4.0 All All All
Application Oracle Communications Cloud Native Core Policy 1.9.0 All All All
Application Oracle Communications Cloud Native Core Unified Data Repository 1.6.0 All All All
Application Oracle Communications Convergence 3.0.2.2.0 All All All
Application Oracle Communications Design Studio 7.3.4 All All All
Application Oracle Communications Design Studio 7.3.5 All All All
Application Oracle Communications Design Studio 7.4.0 All All All
Application Oracle Communications Evolved Communications Application Server 7.1 All All All
Application Oracle Communications Metasolv Solution 6.3.0 All All All
Application Oracle Communications Metasolv Solution 6.3.1 All All All
Application Oracle Communications Metasolv Solution 6.3.0 All All All
Application Oracle Communications Metasolv Solution 6.3.1 All All All
Application Oracle Communications Network Integrity 7.3.6 All All All
Application Oracle Communications Performance Intelligence Center 10.4.0.3 All All All
Application Oracle Communications Pricing Design Center 12.0.0.3.0 All All All
Application Oracle Communications Unified Inventory Management 7.3.4 All All All
Application Oracle Communications Unified Inventory Management 7.3.5 All All All
Application Oracle Communications Unified Inventory Management 7.4.0 All All All
Application Oracle Communications Unified Inventory Management 7.4.1 All All All
Application Oracle Customer Management And Segmentation Foundation 18.0 All All All
Application Oracle Customer Management And Segmentation Foundation 18.0 All All All
Application Oracle Enterprise Manager For Virtualization 13.4.0.0 All All All
Application Oracle Financial Services Revenue Management And Billing Analytics 2.7 All All All
Application Oracle Financial Services Revenue Management And Billing Analytics 2.8 All All All
Application Oracle Flexcube Private Banking 12.0.0 All All All
Application Oracle Flexcube Private Banking 12.1.0 All All All
Application Oracle Fusion Middleware 11.1.1.9 All All All
Application Oracle Fusion Middleware 12.2.1.3.0 All All All
Application Oracle Fusion Middleware 12.2.1.4.0 All All All
Application Oracle Healthcare Foundation 7.1.5 All All All
Application Oracle Healthcare Foundation 7.2.2 All All All
Application Oracle Healthcare Foundation 7.3.0 All All All
Application Oracle Healthcare Foundation 7.3.1 All All All
Application Oracle Healthcare Foundation 8.0.1 All All All
Application Oracle Hospitality Opera 5 5.5 All All All
Application Oracle Hospitality Opera 5 5.6 All All All
Application Oracle Hospitality Reporting And Analytics 9.1.0 All All All
Application Oracle Insurance Data Gateway 1.0.2.3 All All All
Application Oracle Jd Edwards Enterpriseone Orchestrator All All All All
Application Oracle Jd Edwards Enterpriseone Orchestrator 9.2.5.3 All All All
Application Oracle Jd Edwards Enterpriseone Tools All All All All
Application Oracle Jd Edwards Enterpriseone Tools 9.2.5.3 All All All
Application Oracle Peoplesoft Enterprise Peopletools 8.56 All All All
Application Oracle Peoplesoft Enterprise Peopletools 8.57 All All All
Application Oracle Peoplesoft Enterprise Peopletools 8.56 All All All
Application Oracle Peoplesoft Enterprise Peopletools 8.57 All All All
Application Oracle Peoplesoft Enterprise Pt Peopletools 8.56 All All All
Application Oracle Peoplesoft Enterprise Pt Peopletools 8.57 All All All
Application Oracle Peoplesoft Enterprise Pt Peopletools 8.58 All All All
Application Oracle Primavera Gateway All All All All
Application Oracle Primavera Gateway All All All All
Application Oracle Real-time Decisions Solutions 3.2.0.0 All All All
Application Oracle Retail Advanced Inventory Planning 14.1 All All All
Application Oracle Retail Back Office 14.1 All All All
Application Oracle Retail Central Office 14.1 All All All
Application Oracle Retail Invoice Matching 16.0.3 All All All
Application Oracle Retail Merchandising System 5.0.3.1 All All All
Application Oracle Retail Point-of-service 14.1 All All All
Application Oracle Retail Predictive Application Server 16.0 All All All
Application Oracle Retail Price Management 14.0 All All All
Application Oracle Retail Price Management 14.0.1 All All All
Application Oracle Retail Price Management 15.0 All All All
Application Oracle Retail Price Management 16.0 All All All
Application Oracle Retail Returns Management 14.1 All All All
Application Oracle Retail Xstore Point Of Service 15.0 All All All
Application Oracle Retail Xstore Point Of Service 16.0 All All All
Application Oracle Retail Xstore Point Of Service 17.0 All All All
Application Oracle Retail Xstore Point Of Service 18.0 All All All
Application Oracle Retail Xstore Point Of Service 7.1 All All All
Application Oracle Retail Xstore Point Of Service 15.0 All All All
Application Oracle Retail Xstore Point Of Service 16.0 All All All
Application Oracle Retail Xstore Point Of Service 17.0 All All All
Application Oracle Retail Xstore Point Of Service 18.0 All All All
Application Oracle Retail Xstore Point Of Service 7.1 All All All
Application Oracle Service Bus 11.1.1.9.0 All All All
Application Oracle Service Bus 12.2.1.3.0 All All All
Application Oracle Service Bus 12.2.1.4.0 All All All
Application Oracle Solaris Cluster 4.4 All All All
Application Oracle Time And Labor All All All All
Application Oracle Utilities Framework 4.2.0.2.0 All All All
Application Oracle Utilities Framework 4.2.0.3.0 All All All
Application Oracle Utilities Framework 4.4.0.0.0 All All All
Application Oracle Utilities Framework 4.4.0.2.0 All All All
Application Oracle Utilities Framework 4.4.0.3.0 All All All
Application Oracle Utilities Framework All All All All
Application Oracle Weblogic Server 10.3.6.0.0 All All All
Operating System Redhat Enterprise Linux Desktop 7.0 All All All
Operating System Redhat Enterprise Linux Desktop 7.0 All All All
Operating System Redhat Enterprise Linux Eus 7.7 All All All
Operating System Redhat Enterprise Linux Eus 7.7 All All All
Operating System Redhat Enterprise Linux Server 6.0 All All All
Operating System Redhat Enterprise Linux Server 7.0 All All All
Operating System Redhat Enterprise Linux Server 8.0 All All All
Operating System Redhat Enterprise Linux Server 6.0 All All All
Operating System Redhat Enterprise Linux Server 7.0 All All All
Operating System Redhat Enterprise Linux Server 8.0 All All All
Operating System Redhat Enterprise Linux Server 7.0 All All All
Operating System Redhat Enterprise Linux Server 7.0 All All All
Operating System Redhat Enterprise Linux Server Aus 7.7 All All All
Operating System Redhat Enterprise Linux Server Aus 7.7 All All All
Operating System Redhat Enterprise Linux Server Tus 7.7 All All All
Operating System Redhat Enterprise Linux Server Tus 7.7 All All All
Operating System Redhat Enterprise Linux Workstation 7.0 All All All
Operating System Redhat Enterprise Linux Workstation 7.0 All All All
Application Redhat Jboss Enterprise Application Platform 7.2.0 All All All
Application Redhat Jboss Enterprise Application Platform 7.2.0 All All All

References

ReferenceSourceLinkTags
[security-announce] openSUSE-SU-2019:2058-1: important: Security update SUSE lists.opensuse.org Mailing List, Third Party Advisory
[nifi-issues] 20210915 [jira] [Updated] (NIFI-9170) Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086 lists.apache.org
Pony Mail! lists.apache.org
Pony Mail! lists.apache.org
Pony Mail! MLIST lists.apache.org Mailing List, Vendor Advisory
[nifi-issues] 20210907 [GitHub] [nifi] MikeThomsen commented on pull request #5351: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086 lists.apache.org
[SECURITY] Fedora 31 Update: apache-commons-beanutils-1.9.4-1.fc31 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
Pony Mail! MLIST lists.apache.org
Pony Mail! lists.apache.org
Red Hat Customer Portal - Access to 24x7 support and knowledge REDHAT access.redhat.com Third Party Advisory
Pony Mail! lists.apache.org
Pony Mail! MLIST lists.apache.org Mailing List, Vendor Advisory
Pony Mail! MLIST lists.apache.org Mailing List, Vendor Advisory
Pony Mail! lists.apache.org
Red Hat Customer Portal REDHAT access.redhat.com Third Party Advisory
Oracle Critical Patch Update Advisory - July 2020 MISC www.oracle.com Third Party Advisory
Pony Mail! MLIST lists.apache.org Mailing List, Vendor Advisory
Pony Mail! MLIST lists.apache.org Mailing List, Vendor Advisory
[SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default. MLIST mail-archives.apache.org Mailing List, Vendor Advisory
Oracle Critical Patch Update Advisory - April 2022 MISC www.oracle.com
Pony Mail! MLIST lists.apache.org Mailing List, Vendor Advisory
Pony Mail! MLIST lists.apache.org Mailing List, Vendor Advisory
Pony Mail! lists.apache.org
Pony Mail! MLIST lists.apache.org Mailing List, Vendor Advisory
Pony Mail! MLIST lists.apache.org Mailing List, Vendor Advisory
Pony Mail! MLIST lists.apache.org
Pony Mail! MLIST lists.apache.org Mailing List, Patch, Vendor Advisory
Pony Mail! lists.apache.org
Pony Mail! MLIST lists.apache.org Mailing List, Vendor Advisory
Pony Mail! MLIST lists.apache.org Mailing List, Vendor Advisory
Pony Mail! lists.apache.org
Oracle Critical Patch Update Advisory - July 2021 N/A www.oracle.com
[SECURITY] Fedora 30 Update: apache-commons-beanutils-1.9.4-1.fc30 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org Third Party Advisory
Pony Mail! lists.apache.org
[SECURITY] [DLA 1896-1] commons-beanutils security update MLIST lists.debian.org Mailing List, Third Party Advisory
Pony Mail! lists.apache.org
Pony Mail! lists.apache.org
Pony Mail! MLIST lists.apache.org Mailing List, Vendor Advisory
[nifi-issues] 20210907 [GitHub] [nifi] asfgit closed pull request #5351: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086 lists.apache.org
Pony Mail! lists.apache.org
Pony Mail! MLIST lists.apache.org Mailing List, Vendor Advisory
Oracle Critical Patch Update Advisory - October 2021 MISC www.oracle.com
[nifi-issues] 20210907 [jira] [Commented] (NIFI-9170) Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086 lists.apache.org
Pony Mail! lists.apache.org
Pony Mail! MLIST lists.apache.org
Pony Mail! lists.apache.org
[nifi-issues] 20210827 [jira] [Updated] (NIFI-9170) Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086 lists.apache.org
Pony Mail! MLIST lists.apache.org
Pony Mail! lists.apache.org
Oracle Critical Patch Update Advisory - January 2022 MISC www.oracle.com
Pony Mail! MLIST lists.apache.org
[SECURITY] Fedora 31 Update: apache-commons-beanutils-1.9.4-1.fc31 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org Third Party Advisory
Red Hat Customer Portal REDHAT access.redhat.com Third Party Advisory
[nifi-issues] 20210908 [GitHub] [nifi] naddym commented on pull request #5351: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086 lists.apache.org
Pony Mail! MLIST lists.apache.org Mailing List, Vendor Advisory
Pony Mail! MLIST lists.apache.org
Pony Mail! MLIST lists.apache.org
Pony Mail! MLIST lists.apache.org Mailing List, Vendor Advisory
Pony Mail! lists.apache.org
Red Hat Customer Portal REDHAT access.redhat.com Third Party Advisory
Pony Mail! MLIST lists.apache.org Mailing List, Vendor Advisory
[SECURITY] Fedora 30 Update: apache-commons-beanutils-1.9.4-1.fc30 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[nifi-issues] 20210827 [jira] [Created] (NIFI-9170) Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086 lists.apache.org
Pony Mail! lists.apache.org
[nifi-commits] 20210907 [nifi] branch main updated: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086 NIFI-9170 Add two more 1.9.4 references to close out the few things identified by the Maven dependency plugin. lists.apache.org
Red Hat Customer Portal REDHAT access.redhat.com Third Party Advisory
Pony Mail! MLIST lists.apache.org Mailing List, Vendor Advisory
Pony Mail! MLIST lists.apache.org Mailing List, Vendor Advisory
Pony Mail! lists.apache.org
Pony Mail! MLIST lists.apache.org
Pony Mail! lists.apache.org
[SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default. mail-archives.apache.org
Pony Mail! lists.apache.org
Pony Mail! MLIST lists.apache.org Mailing List, Vendor Advisory
Pony Mail! lists.apache.org
Oracle Critical Patch Update Advisory - January 2020 MISC www.oracle.com Third Party Advisory
Pony Mail! MLIST lists.apache.org Mailing List, Vendor Advisory
Oracle Critical Patch Update Advisory - April 2020 N/A www.oracle.com Third Party Advisory
Pony Mail! MLIST lists.apache.org Mailing List, Patch, Vendor Advisory
[nifi-issues] 20210827 [GitHub] [nifi] naddym opened a new pull request #5351: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086 lists.apache.org
Red Hat Customer Portal - Access to 24x7 support and knowledge REDHAT access.redhat.com Third Party Advisory
Pony Mail! MLIST lists.apache.org Mailing List, Vendor Advisory
Pony Mail! MLIST lists.apache.org Mailing List, Vendor Advisory
Oracle Critical Patch Update Advisory - July 2022 N/A www.oracle.com
Oracle Critical Patch Update Advisory - April 2021 MISC www.oracle.com
Pony Mail! MLIST lists.apache.org
Pony Mail! lists.apache.org
Oracle Critical Patch Update Advisory - January 2021 MISC www.oracle.com Third Party Advisory
Red Hat Customer Portal REDHAT access.redhat.com Third Party Advisory
Pony Mail! lists.apache.org
Pony Mail! lists.apache.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 20324 Oracle E-Business Suite Remote Code Execution (RCE) Vulnerability (CPUOCT2022)
  • 238192 Red Hat Update for Satellite 6.7 release.(RHSA-2020:1454)
  • 375482 Oracle PeopleSoft Enterprise PeopleTools Product Multiple Vulnerabilities (CPUAPR2021)
  • 375484 Oracle WebLogic Server Multiple Vulnerabilities (CPUAPR2021) (WebLogic Server Unix Authentication Record)
  • 375626 IBM Cognos Analytics Multiple Vulnerabilities (6451705)
  • 377179 Alibaba Cloud Linux Security Update for apache-commons-beanutils (ALINUX2-SA-2020:0015)
  • 87448 Oracle WebLogic Server Multiple Vulnerabilities (CPUAPR2021)
  • 980293 Java (maven) Security Update for commons-beanutils:commons-beanutils (GHSA-6phf-73q6-gh87)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report