Vulnerability DatabaseCVE-2019-10146

CVE-2019-10146:
Apache Velocity engine vulnerability analysis and mitigation

Overview

A Reflected Cross Site Scripting (XSS) vulnerability was discovered in all pki-core 10.x.x versions, specifically affecting the CA Agent Service component. The vulnerability, identified as CVE-2019-10146, was discovered in March 2019 and involves improper sanitization of the certificate request page (CVE Mitre, NVD).

Technical details

The vulnerability exists in the /ca/agent/ca/profileProcess form, where the basicConstraintsPathLen parameter is not properly sanitized by the server. This security flaw is considered Low severity because it requires the attacker to first request or predict a valid nonce. Without a valid nonce, no arbitrary HTML will be sent back to the victim's browser (Red Hat Bugzilla).

Impact

The security consequences of this vulnerability are limited due to the web UI using client-side TLS authentication, which means stealing a cookie would not be of much use to an attacker. The primary concern is the potential for website defacement (Red Hat Bugzilla).

Mitigation and workarounds

The vulnerability was patched in multiple Red Hat Enterprise Linux versions through various security advisories. The fix was implemented upstream through commit b235c0f3c6c249dbba692410b525d8d6fb7409f4 in the dogtagpki/pki repository (Red Hat Bugzilla).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

4.7

Score

Published March 18, 2020

Severity MEDIUM

CNA Score 4.7

Affected Technologies

Apache Velocity engine
Alibaba Cloud Linux (Aliyun Linux)

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 49.2

Exploitation Probability (EPSS) 0.3

Affected packages and libraries

relaxngDatatype
xerces-j2

Sources

NVD
Debian Security Tracker
- Debian 11 Severity MEDIUMHas FixAdded at: Nov 23, 2021
Red Hat Errata
- Red Hat 7 Severity LOWHas FixAdded at: Nov 23, 2021
- Red Hat 8 Severity LOWHas FixAdded at: Nov 23, 2021
Ubuntu Security Tracker
- Ubuntu 18.04, 20.04 Severity LOWNo FixAdded at: Nov 23, 2021

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Apache Velocity engine vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-48734	HIGH	8.8	Java	javapackages-tools:201801::cglib	No	Yes	May 28, 2025
CVE-2025-52999	HIGH	8.7	Java	glassfish-jaxb-api	No	Yes	Jun 25, 2025
CVE-2022-25762	HIGH	8.6	Java	tomcat6-javadoc	No	Yes	May 13, 2022
CVE-2024-38286	HIGH	7.5	Java	tomcat-el-5.0-api	No	Yes	Nov 07, 2024
CVE-2025-48924	MEDIUM	5.3	Java	libcommons-lang-java	No	Yes	Jul 11, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2019-10146: Apache Velocity engine vulnerability analysis and mitigation