diff --git a/SOURCES/CVE-2019-10086.patch b/SOURCES/CVE-2019-10086.patch
new file mode 100644
index 0000000..f1afb98
--- /dev/null
+++ b/SOURCES/CVE-2019-10086.patch
@@ -0,0 +1,126 @@
+From 1114eba5bfeeb4cd9fe5bb744e30ff3792309bb3 Mon Sep 17 00:00:00 2001
+From: Marian Koncek <mkoncek@redhat.com>
+Date: Wed, 11 Dec 2019 13:27:47 +0100
+Subject: [PATCH] CVE-2019-10086
+
+---
+ .../commons/beanutils/PropertyUtilsBean.java  |  1 +
+ .../BeanIntrospectionDataTestCase.java        |  1 +
+ .../beanutils/bugs/Jira157TestCase.java       |  7 +++
+ .../beanutils/bugs/Jira520TestCase.java       | 55 +++++++++++++++++++
+ 4 files changed, 64 insertions(+)
+ create mode 100644 src/test/java/org/apache/commons/beanutils/bugs/Jira520TestCase.java
+
+diff --git a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
+index ff0b2ee..4e55061 100644
+--- a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
++++ b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
+@@ -188,6 +188,7 @@ public class PropertyUtilsBean {
+     public final void resetBeanIntrospectors() {
+         introspectors.clear();
+         introspectors.add(DefaultBeanIntrospector.INSTANCE);
++        introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
+     }
+ 
+     /**
+diff --git a/src/test/java/org/apache/commons/beanutils/BeanIntrospectionDataTestCase.java b/src/test/java/org/apache/commons/beanutils/BeanIntrospectionDataTestCase.java
+index da8c22c..3a6c566 100644
+--- a/src/test/java/org/apache/commons/beanutils/BeanIntrospectionDataTestCase.java
++++ b/src/test/java/org/apache/commons/beanutils/BeanIntrospectionDataTestCase.java
+@@ -42,6 +42,7 @@ public class BeanIntrospectionDataTestCase extends TestCase {
+      */
+     private static PropertyDescriptor[] fetchDescriptors() {
+         final PropertyUtilsBean pub = new PropertyUtilsBean();
++        pub.removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
+         pub.addBeanIntrospector(new FluentPropertyBeanIntrospector());
+         return pub.getPropertyDescriptors(BEAN_CLASS);
+     }
+diff --git a/src/test/java/org/apache/commons/beanutils/bugs/Jira157TestCase.java b/src/test/java/org/apache/commons/beanutils/bugs/Jira157TestCase.java
+index 97f7bae..5611b03 100644
+--- a/src/test/java/org/apache/commons/beanutils/bugs/Jira157TestCase.java
++++ b/src/test/java/org/apache/commons/beanutils/bugs/Jira157TestCase.java
+@@ -24,6 +24,9 @@ import junit.framework.TestCase;
+ import junit.framework.TestSuite;
+ 
+ import org.apache.commons.beanutils.BeanUtils;
++import org.apache.commons.beanutils.BeanUtilsBean;
++import org.apache.commons.beanutils.PropertyUtilsBean;
++import org.apache.commons.beanutils.SuppressPropertiesBeanIntrospector;
+ import org.apache.commons.logging.Log;
+ import org.apache.commons.logging.LogFactory;
+ 
+@@ -74,6 +77,10 @@ public class Jira157TestCase extends TestCase {
+     @Override
+     protected void setUp() throws Exception {
+         super.setUp();
++        
++        BeanUtilsBean custom = new BeanUtilsBean();
++    	custom.getPropertyUtils().removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
++    	BeanUtilsBean.setInstance(custom);
+     }
+ 
+     /**
+diff --git a/src/test/java/org/apache/commons/beanutils/bugs/Jira520TestCase.java b/src/test/java/org/apache/commons/beanutils/bugs/Jira520TestCase.java
+new file mode 100644
+index 0000000..c5f6cfb
+--- /dev/null
++++ b/src/test/java/org/apache/commons/beanutils/bugs/Jira520TestCase.java
+@@ -0,0 +1,55 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements.  See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License.  You may obtain a copy of the License at
++ *
++ *      http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.commons.beanutils.bugs;
++
++import org.apache.commons.beanutils.AlphaBean;
++import org.apache.commons.beanutils.BeanUtilsBean;
++import org.apache.commons.beanutils.SuppressPropertiesBeanIntrospector;
++
++import junit.framework.TestCase;
++
++/**
++ * Fix CVE: https://nvd.nist.gov/vuln/detail/CVE-2014-0114
++ *
++ * @see <a href="https://issues.apache.org/jira/browse/BEANUTILS-520">https://issues.apache.org/jira/browse/BEANUTILS-520</a>
++ */
++public class Jira520TestCase extends TestCase {
++    /**
++     * By default opt-in to security that does not allow access to "class".
++     */
++    public void testSuppressClassPropertyByDefault() throws Exception {
++        final BeanUtilsBean bub = new BeanUtilsBean();
++        final AlphaBean bean = new AlphaBean();
++        try {
++            bub.getProperty(bean, "class");
++            fail("Could access class property!");
++        } catch (final NoSuchMethodException ex) {
++            // ok
++        }
++    }
++    
++    /**
++     * Allow opt-out to make your app less secure but allow access to "class".
++     */
++    public void testAllowAccessToClassProperty() throws Exception {
++        final BeanUtilsBean bub = new BeanUtilsBean();
++        bub.getPropertyUtils().removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
++        final AlphaBean bean = new AlphaBean();
++        String result = bub.getProperty(bean, "class");
++        assertEquals("Class property should have been accessed", "class org.apache.commons.beanutils.AlphaBean", result);
++    }
++}
+-- 
+2.21.0
+
diff --git a/SPECS/apache-commons-beanutils.spec b/SPECS/apache-commons-beanutils.spec
index fe9fc37..2d6ad95 100644
--- a/SPECS/apache-commons-beanutils.spec
+++ b/SPECS/apache-commons-beanutils.spec
@@ -6,13 +6,15 @@
 
 Name:           %{?scl_prefix}apache-%{short_name}
 Version:        1.9.3
-Release:        2.2%{?dist}
+Release:        2.3%{?dist}
 Summary:        Java utility methods for accessing and modifying the properties of arbitrary JavaBeans
 License:        ASL 2.0
 URL:            http://commons.apache.org/%{base_name}
 BuildArch:      noarch
 Source0:        http://archive.apache.org/dist/commons/%{base_name}/source/%{short_name}-%{version}-src.tar.gz
 
+Patch0:         CVE-2019-10086.patch
+
 BuildRequires:  %{?scl_prefix}maven-local
 BuildRequires:  %{?scl_prefix}mvn(commons-collections:commons-collections)
 BuildRequires:  %{?scl_prefix}mvn(commons-collections:commons-collections-testframework)
@@ -35,6 +37,8 @@ Summary:        Javadoc for %{pkg_name}
 %setup -q -n %{short_name}-%{version}-src
 sed -i 's/\r//' *.txt
 
+%patch0 -p1
+
 %pom_remove_plugin :maven-assembly-plugin
 
 %mvn_alias :{*} :@1-core :@1-bean-collections
@@ -57,6 +61,9 @@ sed -i 's/\r//' *.txt
 %doc LICENSE.txt NOTICE.txt
 
 %changelog
+* Wed Dec 11 2019 Marian Koncek <mkoncek@redhat.com> - 1.9.3-2.3
+- Fix CVE-2019-10086
+
 * Thu Jun 22 2017 Michael Simacek <msimacek@redhat.com> - 1.9.3-2.2
 - Mass rebuild 2017-06-22