ALT-PU-2025-16965-1 — infinispan

BDU:2020-02260

HIGH7.5

Уязвимость метода открытого класса invokeAccessibly программного обеспечения для хранения данных Infinispan связана с применением входных данных с внешним управлением для выбора классов. Эксплуатация уязвимости может позволить нарушителю выполнить произвольный код

Published: 2020-05-22

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0HIGH 7.6

CVSS:2.0/AV:N/AC:H/Au:N/C:C/I:C/A:C

References

CVE-2019-10174

CVE-2016-0750

HIGH8.8

The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks.

Published: 2018-09-11Modified: 2024-11-21

CVSS 2.0MEDIUM 6.5

CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS 3.xHIGH 8.8

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

CVE-2017-15089

HIGH8.8

It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.

Published: 2018-02-15Modified: 2024-11-21

CVSS 2.0MEDIUM 6.5

CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS 3.xHIGH 8.8

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

CVE-2017-2638

MEDIUM6.5

It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.

Published: 2018-07-16Modified: 2024-11-21

CVSS 2.0MEDIUM 6.4

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References

CVE-2019-10158

CRITICAL9.8

A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling.

Published: 2020-01-02Modified: 2024-11-21

CVSS 2.0HIGH 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2019-10174

HIGH8.8

A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.

Published: 2019-11-25Modified: 2024-11-21

CVSS 2.0MEDIUM 6.5

CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS 3.xHIGH 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-25711

MEDIUM6.5

A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role.

Published: 2020-12-03Modified: 2024-11-21

CVSS 2.0MEDIUM 4.9

CVSS:2.0/AV:N/AC:M/Au:S/C:N/I:P/A:P

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

References

GHSA-46r5-59fg-2fjc

HIGH8.8

Deserialization of Untrusted Data in Infinispan

Published: 2022-05-14Modified: 2022-07-01

CVSS 3.xHIGH 8.8

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

GHSA-6x3v-rw2q-9gx7

CRITICAL9.8

Improper implementation of the session fixation protection in Infinispan

Published: 2020-01-22Modified: 2023-03-28

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-8674-26jc-wh98

MEDIUM6.5

Improper Access Control in infinispan-server-runtime

Published: 2022-02-10

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

References

GHSA-h47x-2j37-fw5m

HIGH7.5

Use of Externally-Controlled Input to Select Classes or Code in Infinispan

Published: 2022-05-24Modified: 2022-06-29

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References

GHSA-mvxp-3j62-jqr6

MEDIUM6.5

Infinispan Rest API Does Not Enforce Auth Constraints

Published: 2022-05-13Modified: 2023-08-01

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References

Package update infinispan in branch sisyphus

Closed issues (12)

The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks.

It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.

It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.

A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling.

A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role.

Deserialization of Untrusted Data in Infinispan

Improper implementation of the session fixation protection in Infinispan

Improper Access Control in infinispan-server-runtime

Use of Externally-Controlled Input to Select Classes or Code in Infinispan

Infinispan Rest API Does Not Enforce Auth Constraints