{"containers": {"cna": {"affected": [{"product": "infinispan", "vendor": "[UNKNOWN]", "versions": [{"status": "affected", "version": "10.0.0.Final"}, {"status": "affected", "version": "9.4.17.Final"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-470", "description": "CWE-470", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-02-10T09:06:27", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174"}, {"name": "RHSA-2020:0481", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2020:0481"}, {"name": "RHSA-2020:0727", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2020:0727"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20220210-0018/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2019-10174", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "infinispan", "version": {"version_data": [{"version_value": "10.0.0.Final"}, {"version_value": "9.4.17.Final"}]}}]}, "vendor_name": "[UNKNOWN]"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application."}]}, "impact": {"cvss": [[{"vectorString": "7.5/CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-470"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174"}, {"name": "RHSA-2020:0481", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0481"}, {"name": "RHSA-2020:0727", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0727"}, {"name": "https://security.netapp.com/advisory/ntap-20220210-0018/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20220210-0018/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:10:10.097Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174"}, {"name": "RHSA-2020:0481", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2020:0481"}, {"name": "RHSA-2020:0727", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2020:0727"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20220210-0018/"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2019-10174", "datePublished": "2019-11-25T10:26:16", "dateReserved": "2019-03-27T00:00:00", "dateUpdated": "2024-08-04T22:10:10.097Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:infinispan:infinispan:*:*:*:*:*:*:*:*", "matchCriteriaId": "EC18B2E6-CC6C-4CA3-9947-C18197CA22C5", "versionEndExcluding": "8.2.12", "vulnerable": true}, {"criteria": "cpe:2.3:a:infinispan:infinispan:*:*:*:*:*:*:*:*", "matchCriteriaId": "D776F69C-45D9-4CE6-94AB-1E13AB796677", "versionEndExcluding": "9.4.17", "versionStartIncluding": "9.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "077732DB-F5F3-4E9C-9AC0-8142AB85B32F", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_data_grid:-:*:*:*:text-only:*:*:*", "matchCriteriaId": "2BF03A52-4068-47EA-8846-1E5FB708CE1A", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*", "matchCriteriaId": "B8423D7F-3A8F-4AD8-BF51-245C9D8DD816", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:text-only:*:*:*", "matchCriteriaId": "ADB40F59-CAAE-47D6-850C-12619D8D5B34", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*", "matchCriteriaId": "341E6313-20D5-44CB-9719-B20585DC5AD6", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", "vulnerable": false}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": false}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*", "matchCriteriaId": "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*", "matchCriteriaId": "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", "matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", "matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en Infinispan, de modo que el m\u00e9todo invokeAccessibly de la clase p\u00fablica ReflectionUtil permite que cualquier clase de aplicaci\u00f3n invoque m\u00e9todos privados en cualquier clase con los privilegios de Infinispan. El atacante puede usar la reflexi\u00f3n para introducir un nuevo comportamiento malicioso en la aplicaci\u00f3n."}], "id": "CVE-2019-10174", "lastModified": "2022-02-20T06:31:14.777", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "secalert@redhat.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-11-25T11:15:10.823", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2020:0481"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2020:0727"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20220210-0018/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-470"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-470"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2020:2333", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_cd:19", "package": "infinispan-core", "product_name": "EAP-CD 19 Tech Preview", "release_date": "2020-05-28T00:00:00Z"}, {"advisory": "RHSA-2020:0727", "cpe": "cpe:/a:redhat:jboss_data_grid:7.3", "package": "infinispan-core", "product_name": "Red Hat Data Grid 7.3.3", "release_date": "2020-03-05T00:00:00Z"}, {"advisory": "RHSA-2020:0481", "cpe": "cpe:/a:redhat:jboss_fuse:6.3", "package": "infinispan-core", "product_name": "Red Hat Fuse 6.3", "release_date": "2020-02-12T00:00:00Z"}, {"advisory": "RHSA-2020:0983", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "infinispan-core", "product_name": "Red Hat Fuse 7.6.0", "release_date": "2020-03-26T00:00:00Z"}, {"advisory": "RHSA-2020:2062", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2", "package": "infinispan-core", "product_name": "Red Hat JBoss EAP 7.2", "release_date": "2020-05-11T00:00:00Z"}, {"advisory": "RHSA-2024:5856", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2024-08-26T00:00:00Z"}, {"advisory": "RHSA-2020:2063", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "package": "eap7-glassfish-jsf-0:2.3.5-11.SP3_redhat_00009.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date": "2020-05-11T00:00:00Z"}, {"advisory": "RHSA-2020:2063", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "package": "eap7-infinispan-0:9.3.9-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date": "2020-05-11T00:00:00Z"}, {"advisory": "RHSA-2020:2063", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "package": "eap7-glassfish-jsf-0:2.3.5-11.SP3_redhat_00009.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date": "2020-05-11T00:00:00Z"}, {"advisory": "RHSA-2020:2063", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "package": "eap7-infinispan-0:9.3.9-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date": "2020-05-11T00:00:00Z"}, {"advisory": "RHSA-2020:2063", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "package": "eap7-glassfish-jsf-0:2.3.5-11.SP3_redhat_00009.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date": "2020-05-11T00:00:00Z"}, {"advisory": "RHSA-2020:2063", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "package": "eap7-infinispan-0:9.3.9-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date": "2020-05-11T00:00:00Z"}, {"advisory": "RHSA-2019:3901", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "product_name": "Red Hat Openshift Application Runtimes Vert.x 3.8.3", "release_date": "2019-11-18T00:00:00Z"}, {"advisory": "RHSA-2020:2113", "cpe": "cpe:/a:redhat:jboss_single_sign_on:7.3", "package": "infinispan-core", "product_name": "Red Hat Single Sign On 7.3", "release_date": "2020-05-12T00:00:00Z"}], "bugzilla": {"description": "infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods", "id": "1703469", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1703469"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-470", "details": ["A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.", "A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application."], "mitigation": {"lang": "en:us", "value": "There is no known mitigation for this issue."}, "name": "CVE-2019-10174", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Not affected", "package_name": "infinispan-core", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Out of support scope", "package_name": "infinispan-core", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Not affected", "package_name": "infinispan-core", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "infinispan-core", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_operations_network:3", "fix_state": "Affected", "package_name": "infinispan-core", "product_name": "Red Hat JBoss Operations Network 3"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Affected", "package_name": "infinispan-core", "product_name": "Red Hat OpenShift Application Runtimes"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Will not fix", "impact": "moderate", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:14", "fix_state": "Will not fix", "impact": "moderate", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 14 (Rocky)"}, {"cpe": "cpe:/a:redhat:openstack:9", "fix_state": "Will not fix", "impact": "moderate", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 9 (Mitaka)"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "infinispan-core", "product_name": "Red Hat Process Automation 7"}], "public_date": "2019-11-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-10174\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-10174"], "statement": "Red Hat OpenStack Platform's OpenDaylight contains the vulnerable library. This library is a requirement of other dependencies (Karaf and Hibernate). Under supported deployments, the vulnerable functionality is not utilized. Based on this, no OpenDaylight versions will not be fixed.", "threat_severity": "Important", "upstream_fix": "Infinispan 10.0.0.Final, Infinispan 9.4.17.Final, Infinispan 8.2.12.Final"}