Use of Externally-Controlled Input to Select Classes or Code in Infinispan

GHSA-h47x-2j37-fw5m · CVE-2019-10174

Published May 24, 2022 · Modified Feb 20, 2024

Description

A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2019-10174
WEB https://github.com/infinispan/infinispan/commit/5dbb05cfaca01a1a66732b82a0f5ba615ccbd214
WEB https://github.com/infinispan/infinispan/commit/7bdc2822ccf79127a488130239c49a5e944e3ca2
WEB https://access.redhat.com/errata/RHSA-2020:0481
WEB https://access.redhat.com/errata/RHSA-2020:0727
WEB https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174
PACKAGE https://github.com/infinispan/infinispan
WEB https://security.netapp.com/advisory/ntap-20220210-0018

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes