DEBIAN-CVE-2019-10086

DEBIAN-CVE-2019-10086 PUBLISHED CVSS 7.300000190734863 HIGH

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.

Risk Scores

CVSS 3.1

7.300000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Affected Products

Vendor	Product	Versions
Debian:13	commons-beanutils	0, 0, 0
Debian:12	commons-beanutils	0, 0, 0
Debian:14	commons-beanutils	0, 0, 0
Debian:11	commons-beanutils	0, 0, 0

Exploit Intelligence

wait for exp. (github-poc)
security.xml (github-poc)
cve-suppress.xml (github-poc)

Timeline

Aug 20, 2019 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2019-10086 advisory

Open in Interactive Console →