{
  "threat_severity" : "Important",
  "public_date" : "2019-11-14T00:00:00Z",
  "bugzilla" : {
    "description" : "infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods",
    "id" : "1703469",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1703469"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-470",
  "details" : [ "A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.", "A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application." ],
  "statement" : "Red Hat OpenStack Platform's OpenDaylight contains the vulnerable library. This library is a requirement of other dependencies (Karaf and Hibernate). Under supported deployments, the vulnerable functionality is not utilized. Based on this, no OpenDaylight versions will not be fixed.",
  "affected_release" : [ {
    "product_name" : "EAP-CD 19 Tech Preview",
    "release_date" : "2020-05-28T00:00:00Z",
    "advisory" : "RHSA-2020:2333",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_cd:19",
    "package" : "infinispan-core"
  }, {
    "product_name" : "Red Hat Data Grid 7.3.3",
    "release_date" : "2020-03-05T00:00:00Z",
    "advisory" : "RHSA-2020:0727",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:7.3",
    "package" : "infinispan-core"
  }, {
    "product_name" : "Red Hat Fuse 6.3",
    "release_date" : "2020-02-12T00:00:00Z",
    "advisory" : "RHSA-2020:0481",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6.3",
    "package" : "infinispan-core"
  }, {
    "product_name" : "Red Hat Fuse 7.6.0",
    "release_date" : "2020-03-26T00:00:00Z",
    "advisory" : "RHSA-2020:0983",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "package" : "infinispan-core"
  }, {
    "product_name" : "Red Hat JBoss EAP 7.2",
    "release_date" : "2020-05-11T00:00:00Z",
    "advisory" : "RHSA-2020:2062",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2",
    "package" : "infinispan-core"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
    "release_date" : "2024-08-26T00:00:00Z",
    "advisory" : "RHSA-2024:5856",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7",
    "package" : "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6",
    "release_date" : "2020-05-11T00:00:00Z",
    "advisory" : "RHSA-2020:2063",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6",
    "package" : "eap7-glassfish-jsf-0:2.3.5-11.SP3_redhat_00009.1.el6eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6",
    "release_date" : "2020-05-11T00:00:00Z",
    "advisory" : "RHSA-2020:2063",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6",
    "package" : "eap7-infinispan-0:9.3.9-1.Final_redhat_00001.1.el6eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7",
    "release_date" : "2020-05-11T00:00:00Z",
    "advisory" : "RHSA-2020:2063",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7",
    "package" : "eap7-glassfish-jsf-0:2.3.5-11.SP3_redhat_00009.1.el7eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7",
    "release_date" : "2020-05-11T00:00:00Z",
    "advisory" : "RHSA-2020:2063",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7",
    "package" : "eap7-infinispan-0:9.3.9-1.Final_redhat_00001.1.el7eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8",
    "release_date" : "2020-05-11T00:00:00Z",
    "advisory" : "RHSA-2020:2063",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8",
    "package" : "eap7-glassfish-jsf-0:2.3.5-11.SP3_redhat_00009.1.el8eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8",
    "release_date" : "2020-05-11T00:00:00Z",
    "advisory" : "RHSA-2020:2063",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8",
    "package" : "eap7-infinispan-0:9.3.9-1.Final_redhat_00001.1.el8eap"
  }, {
    "product_name" : "Red Hat Openshift Application Runtimes Vert.x 3.8.3",
    "release_date" : "2019-11-18T00:00:00Z",
    "advisory" : "RHSA-2019:3901",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0",
    "package" : "infinispan-core"
  }, {
    "product_name" : "Red Hat Single Sign On 7.3",
    "release_date" : "2020-05-12T00:00:00Z",
    "advisory" : "RHSA-2020:2113",
    "cpe" : "cpe:/a:redhat:jboss_single_sign_on:7.3",
    "package" : "infinispan-core"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Decision Manager 7",
    "fix_state" : "Not affected",
    "package_name" : "infinispan-core",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Data Virtualization 6",
    "fix_state" : "Out of support scope",
    "package_name" : "infinispan-core",
    "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Not affected",
    "package_name" : "infinispan-core",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse Service Works 6",
    "fix_state" : "Out of support scope",
    "package_name" : "infinispan-core",
    "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6"
  }, {
    "product_name" : "Red Hat JBoss Operations Network 3",
    "fix_state" : "Affected",
    "package_name" : "infinispan-core",
    "cpe" : "cpe:/a:redhat:jboss_operations_network:3"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Will not fix",
    "package_name" : "opendaylight",
    "cpe" : "cpe:/a:redhat:openstack:13",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat OpenStack Platform 14 (Rocky)",
    "fix_state" : "Will not fix",
    "package_name" : "opendaylight",
    "cpe" : "cpe:/a:redhat:openstack:14",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat OpenStack Platform 9 (Mitaka)",
    "fix_state" : "Will not fix",
    "package_name" : "opendaylight",
    "cpe" : "cpe:/a:redhat:openstack:9",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Not affected",
    "package_name" : "infinispan-core",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-10174\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-10174" ],
  "name" : "CVE-2019-10174",
  "mitigation" : {
    "value" : "There is no known mitigation for this issue.",
    "lang" : "en:us"
  },
  "csaw" : false
}