Vulnerability Details : CVE-2019-10174
A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.
Products affected by CVE-2019-10174
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*
- cpe:2.3:a:redhat:jboss_data_grid:-:*:*:*:text-only:*:*:*
- cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*
- cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:text-only:*:*:*
- cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
- cpe:2.3:a:infinispan:infinispan:*:*:*:*:*:*:*:*
- cpe:2.3:a:infinispan:infinispan:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-10174
0.29%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 68 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-10174
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.6
|
5.9
|
Red Hat, Inc. | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2019-10174
-
The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2019-10174
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174
1703469 – (CVE-2019-10174) CVE-2019-10174 infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methodsIssue Tracking;Vendor Advisory
-
https://security.netapp.com/advisory/ntap-20220210-0018/
CVE-2019-10174 Infinispan Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2020:0481
RHSA-2020:0481 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
https://access.redhat.com/errata/RHSA-2020:0727
RHSA-2020:0727 - Security Advisory - Red Hat Customer PortalVendor Advisory
Jump to