CVE-2019-10174

A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.

Published: Nov 25, 2019
Updated: May 9, 2024
CVE: CVE-2019-10174
GHSA: GHSA-h47x-2j37-fw5m
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-470

Affected Software
References

Software	From	Fixed in
infinispan / infinispan	9.0.0	9.4.17
infinispan / infinispan	-	8.2.12
redhat / fuse	1.0	1.0.x
redhat / jboss_enterprise_application_platform	7.2	7.2.x
org.infinispan / infinispan-core	-	8.2.12.Final
org.infinispan / infinispan-core	9.0.0.Final	9.4.17.Final

https://access.redhat.com/errata/RHSA-2020:0481
https://access.redhat.com/errata/RHSA-2020:0727
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174
https://github.com/infinispan/infinispan/commit/5dbb05cfaca01a1a66732b82a0f5ba615ccbd214
https://github.com/infinispan/infinispan/commit/7bdc2822ccf79127a488130239c49a5e944e3ca2
https://security.netapp.com/advisory/ntap-20220210-0018/

Vulnerability Database

289,599

CVE-2019-10174