CVE-2019-10174

moderate-risk

Published 2019-11-25

A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.

Do I need to act?

0.88% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (10)

Infinispan

Fuse

Jboss Data Grid

Jboss Enterprise Application Platform

Openshift Application Runtimes

Single Sign-On

Jboss Enterprise Application Platform

Active Iq Unified Manager

Affected Vendors

Redhat Netapp Infinispan

References (8)

Vendor Advisory https://access.redhat.com/errata/RHSA-2020:0481

Vendor Advisory https://access.redhat.com/errata/RHSA-2020:0727

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174

Third Party Advisory https://security.netapp.com/advisory/ntap-20220210-0018/

Vendor Advisory https://access.redhat.com/errata/RHSA-2020:0481

Vendor Advisory https://access.redhat.com/errata/RHSA-2020:0727

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174

Third Party Advisory https://security.netapp.com/advisory/ntap-20220210-0018/

/ 100

moderate-risk

Severity 30/34 · Critical

Exploitability 3/34 · Minimal

Exposure 16/34 · Moderate