{"id":"CVE-2019-10086","details":"In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.","aliases":["GHSA-6phf-73q6-gh87"],"modified":"2026-04-16T04:33:28.591680289Z","published":"2019-08-20T21:15:12.057Z","related":["ALSA-2025:9318","CGA-5qmc-vxrj-v4ww","SUSE-SU-2019:2244-1","SUSE-SU-2019:2245-1","openSUSE-SU-2019:2058-1","openSUSE-SU-2024:10617-1"],"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/c94bc9649d5109a663b2129371dc45753fbdeacd340105548bbe93c3%40%3Cdev.shiro.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/d6ca9439c53374b597f33b7ec180001625597db48ea30356af01145f%40%3Cdev.shiro.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r43de02fd4a4f52c4bdeff8c02f09625d83cd047498009c1cdab857db%40%3Cdev.rocketmq.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3Cissues.commons.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r306c0322aa5c0da731e03f3ce9f07f4745c052c6b73f4e78faf232ca%40%3Cdev.atlas.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ra41fd0ad4b7e1d675c03a5081a16a6603085a4e37d30b866067566fe%40%3Cissues.nifi.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ra87ac17410a62e813cba901fdd4e9a674dd53daaf714870f28e905f1%40%3Cdev.atlas.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rcc029be4edaaf5b8bb85818aab494e16f312fced07a0f4a202771ba2%40%3Cissues.nifi.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd2d2493f4f1af6980d265b8d84c857e2b7ab80a46e1423710c448957%40%3Cissues.nifi.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rec74f3a94dd850259c730b4ba6f7b6211222b58900ec088754aa0534%40%3Cissues.nifi.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r967953a14e05016bc4bcae9ef3dd92e770181158b4246976ed8295c9%40%3Cdev.brooklyn.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ra9a139fdc0999750dcd519e81384bc1fe3946f311b1796221205f51c%40%3Ccommits.dolphinscheduler.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/re2028d4d76ba1db3e3c3a722d6c6034e801cc3b309f69cc166eaa32b%40%3Ccommits.nifi.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/reee57101464cf7622d640ae013b2162eb864f603ec4093de8240bb8f%40%3Cdev.atlas.apache.org%3E"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIUYSL2RSIWZVNSUIXJTIFPIPIF6OAIO/"},{"type":"WEB","url":"http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cC628798F-315D-4428-8CB1-4ED1ECC958E4%40apache.org%3e"},{"type":"WEB","url":"https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3Cissues.commons.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/2fd61dc89df9aeab738d2b49f48d42c76f7d53b980ba04e1d48bce48%40%3Cdev.shiro.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r2d5f1d88c39bd615271abda63964a0bee9b2b57fef1f84cb4c43032e%40%3Cissues.nifi.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/racd3e7b2149fa2f255f016bd6bffab0fea77b6fb81c50db9a17f78e6%40%3Cdev.atlas.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rb8dac04cb7e9cc5dedee8dabaa1c92614f590642e5ebf02a145915ba%40%3Ccommits.atlas.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r513a7a21c422170318115463b399dd58ab447fe0990b13e5884f0825%40%3Ccommits.dolphinscheduler.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/02094ad226dbc17a2368beaf27e61d8b1432f5baf77d0ca995bb78bc%40%3Cissues.commons.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/a684107d3a78e431cf0fbb90629e8559a36ff8fe94c3a76e620b39fa%40%3Cdev.shiro.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rb1f76c2c0a4d6efb8a3523974f9d085d5838b73e7bffdf9a8f212997%40%3Cissues.nifi.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/5261066cd7adee081ee05c8bf0e96cf0b2eeaced391e19117ae4daa6%40%3Cdev.shiro.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r18d8b4f9263e5cad3bbaef0cdba0e2ccdf9201316ac4b85e23eb7ee4%40%3Cdev.atlas.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r46e536fc98942dce99fadd2e313aeefe90c1a769c5cd85d98df9d098%40%3Cissues.nifi.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rae81e0c8ebdf47ffaa85a01240836bfece8a990c48f55c7933162b5c%40%3Cdev.atlas.apache.org%3E"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4APPGLBWMFAS4WHNLR4LIJ65DJGPV7TF/"},{"type":"WEB","url":"https://lists.apache.org/thread.html/re3cd7cb641d7fc6684e4fc3c336a8bad4a01434bb5625a06e3600fd1%40%3Cissues.nifi.apache.org%3E"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r6194ced4828deb32023cd314e31f41c61d388b58935d102c7de91f58%40%3Cdev.atlas.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/3d1ed1a1596c08c4d5fea97b36c651ce167b773f1afc75251ce7a125%40%3Ccommits.tinkerpop.apache.org%3E"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0805"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00007.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0057"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0804"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/08/msg00030.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:4317"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujan2020.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0194"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0806"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0811"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"type":"FIX","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/nifi","events":[{"introduced":"0"},{"last_affected":"fcbf1d5f975dd984e34f3a543b9480c779b0dc2f"},{"introduced":"0"},{"last_affected":"7fdc07cccdc0e23d4986557a9314e36859704a3b"},{"introduced":"0"},{"last_affected":"65c7732e46cdfcb17afe0dd7b0a3e0956226bcbb"},{"introduced":"0"},{"last_affected":"034cf843c1e8d63d218871a1478e2eeaa3532dca"},{"introduced":"0"},{"last_affected":"e6508ba7d3da5bba54abd6233a7a8f9dd4c32151"},{"introduced":"0"},{"last_affected":"45bb53d2aafd6ec5cb6bb794b3f7f8fc8300a04b"},{"introduced":"0"},{"last_affected":"f8466cb16d6723ddc3bf5f0e7f8ce8a47d27cbe5"},{"introduced":"0"},{"last_affected":"46e83d2aea47dd4285a667f7fdb93b40bb1198c3"},{"introduced":"0"},{"last_affected":"67407bdb75977dbdc382b318773fa313ac70e4df"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.14.0"},{"introduced":"0"},{"last_affected":"1.15.0"},{"introduced":"0"},{"last_affected":"2.4.0"},{"introduced":"0"},{"last_affected":"2.7.1"},{"introduced":"0"},{"last_affected":"1.4.0"},{"introduced":"0"},{"last_affected":"1.9.0"},{"introduced":"0"},{"last_affected":"1.6.0"},{"introduced":"0"},{"last_affected":"2.7"},{"introduced":"0"},{"last_affected":"2.8"}]}}],"versions":["docker/nifi-1.2.0","nifi-0.2.0-incubating-RC1","nifi-0.4.1","nifi-0.4.1-RC1","nifi-0.6.0","nifi-0.6.0-RC2","nifi-1.1.0-RC2","nifi-1.14.0-RC2","nifi-1.15.0-RC3","nifi-1.2.0-RC2","nifi-1.6.0-RC3","nifi-1.9.0-RC2","nifi-2.4.0-RC1","nifi-2.7.0-RC4","nifi-2.7.1-RC2","nifi-2.8.0-RC2","rel/nifi-1.1.0","rel/nifi-1.14.0","rel/nifi-1.15.0","rel/nifi-1.2.0","rel/nifi-1.4.0","rel/nifi-1.6.0","rel/nifi-1.9.0","rel/nifi-2.4.0","rel/nifi-2.7.0","rel/nifi-2.7.1","rel/nifi-2.8.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"1.0"},{"last_affected":"1.9.3"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"15.1"}]},{"events":[{"introduced":"0"},{"last_affected":"30"}]},{"events":[{"introduced":"0"},{"last_affected":"31"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.7"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.7"}]},{"events":[{"introduced":"0"},{"last_affected":"7.7"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.3.3"}]},{"events":[{"introduced":"0"},{"last_affected":"9.3.5"}]},{"events":[{"introduced":"0"},{"last_affected":"9.3.6"}]},{"events":[{"introduced":"0"},{"last_affected":"3.5"}]},{"events":[{"introduced":"0"},{"last_affected":"3.5"}]},{"events":[{"introduced":"0"},{"last_affected":"3.6"}]},{"events":[{"introduced":"0"},{"last_affected":"3.6"}]},{"events":[{"introduced":"0"},{"last_affected":"13.3.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.9.0"}]},{"events":[{"introduced":"0"},{"fixed":"21.1.2"}]},{"events":[{"introduced":"0"},{"last_affected":"7.5"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.3.0.9"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"3.0.2.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3.5"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.1"}]},{"events":[{"introduced":"0"},{"last_affected":"6.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.3.1"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3.6"}]},{"events":[{"introduced":"0"},{"last_affected":"10.4.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3.5"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4.1"}]},{"events":[{"introduced":"0"},{"last_affected":"18.0"}]},{"events":[{"introduced":"0"},{"last_affected":"13.4.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.1.9"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.1.5"}]},{"events":[{"introduced":"0"},{"last_affected":"7.2.2"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3.1"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"5.5"}]},{"events":[{"introduced":"0"},{"last_affected":"5.6"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.0.2.3"}]},{"events":[{"introduced":"0"},{"fixed":"9.2.5.3"}]},{"events":[{"introduced":"0"},{"last_affected":"9.2.5.3"}]},{"events":[{"introduced":"0"},{"fixed":"9.2.5.3"}]},{"events":[{"introduced":"0"},{"last_affected":"9.2.5.3"}]},{"events":[{"introduced":"0"},{"last_affected":"8.56"}]},{"events":[{"introduced":"0"},{"last_affected":"8.57"}]},{"events":[{"introduced":"0"},{"last_affected":"8.56"}]},{"events":[{"introduced":"0"},{"last_affected":"8.57"}]},{"events":[{"introduced":"0"},{"last_affected":"8.58"}]},{"events":[{"introduced":"16.2.0"},{"last_affected":"16.2.11"}]},{"events":[{"introduced":"17.12.0"},{"last_affected":"17.12.6"}]},{"events":[{"introduced":"0"},{"last_affected":"3.2.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.3.1"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1"}]},{"events":[{"introduced":"0"},{"last_affected":"7.1"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0"}]},{"events":[{"introduced":"0"},{"last_affected":"17.0"}]},{"events":[{"introduced":"0"},{"last_affected":"18.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.1.9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.4"}]},{"events":[{"introduced":"12.2.6"},{"last_affected":"12.2.11"}]},{"events":[{"introduced":"4.3.0.1.0"},{"last_affected":"4.3.0.6.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.2.0.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.2.0.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.4.0.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.4.0.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.4.0.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.3.6.0.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-10086.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}]}