Candidate: CVE-2019-10086
PublicDate: 2019-08-20 21:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10086
 https://issues.apache.org/jira/browse/BEANUTILS-520
 https://github.com/apache/commons-beanutils/pull/7
 https://github.com/apache/commons-beanutils/commit/dd48f4e589462a8cdb1f29bbbccb35d6b0291d58
Description:
 In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was
 added which allows suppressing the ability for an attacker to access the
 classloader via the class property available on all Java objects. We,
 however were not using this by default characteristic of the
 PropertyUtilsBean.
Ubuntu-Description:
 It was discovered that Apache Commons BeanUtils improperly handled certain
 input.  An attacker could use this vulnerability to execute arbitrary code.
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L [7.3 HIGH]
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L [7.3 HIGH]


Patches_commons-beanutils:
upstream_commons-beanutils: released (1.9.4-1)
precise/esm_commons-beanutils: DNE
trusty_commons-beanutils: ignored (out of standard support)
trusty/esm_commons-beanutils: needed
xenial_commons-beanutils: ignored (end of standard support, was needed)
bionic_commons-beanutils: needed
disco_commons-beanutils: ignored (reached end-of-life)
eoan_commons-beanutils: not-affected (1.9.4-1)
focal_commons-beanutils: not-affected (1.9.4-1)
groovy_commons-beanutils: not-affected (1.9.4-1)
hirsute_commons-beanutils: not-affected (1.9.4-1)
impish_commons-beanutils: not-affected (1.9.4-1)
jammy_commons-beanutils: not-affected (1.9.4-1)
devel_commons-beanutils: not-affected (1.9.4-1)