Authorization Bypass

🗓️ 18 Nov 2019 03:10:08Reported by Veracode Vulnerability DatabaseType

veracode🔗 sca.analysiscenter.veracode.com👁 34 Views

Infinispan authorization bypass vulnerability in ReflectionUtil class

Reporter	Title	Published	Views	Family All 38
BDU FSTEC	The vulnerability of the `invokeAccessibly` method in Infinispan data storage software relates to the use of externally controlled input parameters for class selection. Exploiting this vulnerability could allow an attacker to execute arbitrary code.	22 May 202000:00	–	bdu_fstec
Circl	CVE-2019-10174	26 Feb 202418:46	–	circl
CNVD	Red Hat Infinispan Elevation of Privilege Vulnerability	18 Nov 201900:00	–	cnvd
CVE	CVE-2019-10174	25 Nov 201910:26	–	cve
Cvelist	CVE-2019-10174	25 Nov 201910:26	–	cvelist
EUVD	EUVD-2022-4059	3 Oct 202520:07	–	euvd
F5 Networks	K84408873: Infinispan vulnerability CVE-2019-10174	21 Feb 202319:26	–	f5
Github Security Blog	Use of Externally-Controlled Input to Select Classes or Code in Infinispan	24 May 202217:01	–	github
NVD	CVE-2019-10174	25 Nov 201911:15	–	nvd
OSV	CVE-2019-10174	25 Nov 201911:15	–	osv

Vulners

Node

infinispan-commons infinispan-commonsRange10.0.0.Alpha1–10.0.0.CR3java

infinispan-commons infinispan-commonsRange9.3.1.Final–9.4.18.Finaljava

eap7-glassfish-jsf eap7-glassfish-jsfMatch2.2.13_6.sp5_redhat_1.1.ep7.el7

eap7-glassfish-jsf eap7-glassfish-jsfMatch2.2.13_5.sp4_redhat_1.1.ep7.el7

eap7-glassfish-jsf eap7-glassfish-jsfMatch2.3.5_2.sp2_redhat_00001.1.el7eap

eap7-glassfish-jsf eap7-glassfish-jsfMatch2.3.5_4.sp3_redhat_00002.1.el7eap

eap7-glassfish-jsf eap7-glassfish-jsfMatch2.2.13_7.sp6_redhat_00001.1.ep7.el6

eap7-glassfish-jsf eap7-glassfish-jsfMatch2.3.5_4.sp3_redhat_00002.1.el8eap

eap7-glassfish-jsf eap7-glassfish-jsfMatch2.3.5_5.sp3_redhat_00003.1.el6eap

eap7-glassfish-jsf eap7-glassfish-jsfMatch2.3.5_6.sp3_redhat_00004.1.el7eap

eap7-glassfish-jsf eap7-glassfish-jsfMatch2.2.12_1.redhat_1.1.ep7.el7

eap7-glassfish-jsf eap7-glassfish-jsfMatch2.3.5_3.sp3_redhat_00001.1.el7eap

eap7-glassfish-jsf eap7-glassfish-jsfMatch2.2.12_1.redhat_1.1.ep7.el6

eap7-glassfish-jsf eap7-glassfish-jsfMatch2.3.5_3.sp3_redhat_00001.1.el6eap

eap7-glassfish-jsf eap7-glassfish-jsfMatch2.3.5_5.sp3_redhat_00003.1.el7eap

eap7-glassfish-jsf eap7-glassfish-jsfMatch2.3.5_3.sp3_redhat_00001.1.el8eap

eap7-glassfish-jsf eap7-glassfish-jsfMatch2.3.5_6.sp3_redhat_00004.1.el8eap

eap7-glassfish-jsf eap7-glassfish-jsfMatch2.3.5_7.sp3_redhat_00005.1.el7eap

eap7-glassfish-jsf eap7-glassfish-jsfMatch2.3.5_5.sp3_redhat_00003.1.el8eap

eap7-glassfish-jsf eap7-glassfish-jsfMatch2.2.13_5.sp4_redhat_1.1.ep7.el6

eap7-glassfish-jsf eap7-glassfish-jsfMatch2.2.12_2.sp4_redhat_1.1.ep7.el7

eap7-glassfish-jsf eap7-glassfish-jsfMatch2.3.5_4.sp3_redhat_00002.1.el6eap

eap7-glassfish-jsf eap7-glassfish-jsfMatch2.2.12_2.sp4_redhat_1.1.ep7.el6

eap7-glassfish-jsf eap7-glassfish-jsfMatch2.2.13_6.sp5_redhat_1.1.ep7.el6

eap7-glassfish-jsf eap7-glassfish-jsfMatch2.3.5_2.sp2_redhat_00001.1.el8eap

eap7-glassfish-jsf eap7-glassfish-jsfMatch2.3.5_6.sp3_redhat_00004.1.el6eap

eap7-glassfish-jsf eap7-glassfish-jsfMatch2.2.13_7.sp6_redhat_00001.1.ep7.el7

eap7-glassfish-jsf eap7-glassfish-jsfMatch2.3.5_2.sp2_redhat_00001.1.el6eap

eap7-infinispan eap7-infinispanMatch9.3.3_1.final_redhat_00001.1.el7eap

eap7-infinispan eap7-infinispanMatch9.3.6_1.final_redhat_00001.1.el6eap

eap7-infinispan eap7-infinispanMatch9.3.3_1.final_redhat_00001.1.el6eap

eap7-infinispan eap7-infinispanMatch9.3.6_1.final_redhat_00001.1.el7eap

eap7-infinispan eap7-infinispanMatch8.1.7_1.final_redhat_1.1.ep7.el6

eap7-infinispan eap7-infinispanMatch8.1.8_1.final_redhat_1.1.ep7.el6

eap7-infinispan eap7-infinispanMatch8.2.9_1.final_redhat_1.1.ep7.el7

eap7-infinispan eap7-infinispanMatch8.2.9_1.final_redhat_1.1.ep7.el6

eap7-infinispan eap7-infinispanMatch8.2.11_1.final_redhat_1.1.ep7.el7

eap7-infinispan eap7-infinispanMatch8.1.6_1.final_redhat_1.1.ep7.el7

eap7-infinispan eap7-infinispanMatch8.1.4_1.final_redhat_1.1.ep7.el7

eap7-infinispan eap7-infinispanMatch8.1.8_1.final_redhat_1.1.ep7.el7

eap7-infinispan eap7-infinispanMatch8.2.8_1.final_redhat_1.1.ep7.el6

eap7-infinispan eap7-infinispanMatch8.2.10_1.final_redhat_1.1.ep7.el7

eap7-infinispan eap7-infinispanMatch8.1.4_1.final_redhat_1.1.ep7.el6

eap7-infinispan eap7-infinispanMatch9.3.7_1.final_redhat_00001.1.el6eap

eap7-infinispan eap7-infinispanMatch8.1.2_1.final_redhat_1.1.ep7.el7

eap7-infinispan eap7-infinispanMatch8.1.7_1.final_redhat_1.1.ep7.el7

eap7-infinispan eap7-infinispanMatch9.3.7_1.final_redhat_00001.1.el8eap

eap7-infinispan eap7-infinispanMatch9.3.6_1.final_redhat_00001.1.el8eap

eap7-infinispan eap7-infinispanMatch8.1.6_1.final_redhat_1.1.ep7.el6

eap7-infinispan eap7-infinispanMatch8.2.11_1.final_redhat_1.1.ep7.el6

eap7-infinispan eap7-infinispanMatch9.3.7_1.final_redhat_00001.1.el7eap

eap7-infinispan eap7-infinispanMatch8.2.8_1.final_redhat_1.1.ep7.el7

eap7-infinispan eap7-infinispanMatch8.2.10_1.final_redhat_1.1.ep7.el6

eap7-infinispan eap7-infinispanMatch8.1.2_1.final_redhat_1.1.ep7.el6

Source	Link
github	www.github.com/infinispan/infinispan/commit/a7dab68d194989aaa0b0aa0781cf8ee88fbe3439
github	www.github.com/infinispan/infinispan/pull/7433
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
security	www.security.netapp.com/advisory/ntap-20220210-0018/
access	www.access.redhat.com/errata/RHSA-2020:0481
access	www.access.redhat.com/errata/RHSA-2020:0727

20 Feb 2022 12:36Current

4.6Medium risk

Vulners AI Score4.6

CVSS 37.5 - 8.8

CVSS 26.5

EPSS0.03089