Description

It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2017-1097.html

http://www.securityfocus.com/bid/97964

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638

https://github.com/infinispan/infinispan/pull/4936/commits

https://issues.jboss.org/browse/ISPN-7485

Related Vulnerabilities

CVE-2022-38179 Vulnerability in maven package io.ktor:ktor-utils

CVE-2019-0232 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2019-10753 Vulnerability in maven package com.diffplug.spotless:spotless-eclipse-wtp

CVE-2017-12962 Vulnerability in npm package node-sass

CVE-2022-31367 Vulnerability in npm package strapi-plugin-content-manager

Severity

High

Classification

CWE-287 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Tags

Third Party Advisory VDB Entry Issue Tracking Patch