MidnightBSD

Advisories for infinispan

CVE-2016-0750 MEDIUM

The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-138,CWE-502,

Products Affected

Vendor Product Version
infinispan infinispan *
CVE-2017-15089 MEDIUM

It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
infinispan infinispan *
infinispan infinispan 9.2.0
CVE-2017-2638 MEDIUM

It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-306,CWE-287,

Products Affected

Vendor Product Version
redhat jboss_data_grid 7.1
infinispan infinispan *
CVE-2018-1131 MEDIUM

Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain types of objects, achieving code execution and possible further attacks. Versions 9.0.3.Final, 9.1.7.Final, 8.2.10.Final, 9.2.2.Final, 9.3.0.Alpha1 are believed to be affected.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-349,CWE-502,

Products Affected

Vendor Product Version
infinispan infinispan 9.1.7
infinispan infinispan 9.2.2
redhat jboss_data_grid 7.2
infinispan infinispan 9.0.3
infinispan infinispan 8.2.10
infinispan infinispan 9.3.0
CVE-2019-10158 HIGH

A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-384,CWE-384,

Products Affected

Vendor Product Version
infinispan infinispan *
redhat jboss_data_grid 7.0.0
CVE-2019-10174 MEDIUM

A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-470,CWE-470,

Products Affected

Vendor Product Version
redhat jboss_data_grid -
redhat single_sign-on -
redhat jboss_enterprise_application_platform 7.2
redhat fuse 1.0
infinispan infinispan *
netapp active_iq_unified_manager -
redhat openshift_application_runtimes -
redhat jboss_enterprise_application_platform -
CVE-2020-10746 MEDIUM

A flaw was found in Infinispan (org.infinispan:infinispan-server-runtime) version 10, where it permits local access to controls via both REST and HotRod APIs. This flaw allows a user authenticated to the local machine to perform all operations on the caches, including the creation, update, deletion, and shutdown of the entire server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H 1.8 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-862,NVD-CWE-Other,

Products Affected

Vendor Product Version
infinispan infinispan-server-runtime 10.0.0
CVE-2020-10771 MEDIUM

A flaw was found in Infinispan version 10, where it is possible to perform various actions that could have side effects using GET requests. This flaw allows an attacker to perform a cross-site request forgery (CSRF) attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H 2.8 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,CWE-352,

Products Affected

Vendor Product Version
redhat data_grid 8.0
netapp oncommand_insight -
infinispan infinispan-server-rest 10.0.0
CVE-2020-25711 MEDIUM

A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H 1.2 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-862,CWE-862,

Products Affected

Vendor Product Version
redhat data_grid 8.0
infinispan infinispan *
netapp active_iq_unified_manager -
CVE-2021-31917 HIGH

A flaw was found in Red Hat DataGrid 8.x (8.0.0, 8.0.1, 8.1.0 and 8.1.1) and Infinispan (10.0.0 through 12.0.0). An attacker could bypass authentication on all REST endpoints when DIGEST is used as the authentication method. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,CWE-287,

Products Affected

Vendor Product Version
redhat data_grid 8.1.0
redhat data_grid 8.0.1
infinispan infinispan-server-rest *
redhat data_grid 8.1.1
redhat data_grid 8.0.0
CVE-2023-3628

A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6
secalert@redhat.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
redhat jboss_data_grid -
redhat data_grid *
redhat jboss_enterprise_application_platform 6
infinispan infinispan -
CVE-2023-3629

A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6
secalert@redhat.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
redhat jboss_data_grid -
redhat data_grid *
redhat jboss_enterprise_application_platform 6
infinispan infinispan -
CVE-2023-4586

A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.4 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N 2.2 5.2
secalert@redhat.com 7.4 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N 2.2 5.2

Products Affected

Vendor Product Version
infinispan hot_rod -
redhat data_grid 8.0.0
CVE-2023-5236

A flaw was found in Infinispan, which does not detect circular object references when unmarshalling. An authenticated attacker with sufficient permissions could insert a maliciously constructed object into the cache and use it to cause out of memory errors and achieve a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 4.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 0.7 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
redhat jboss_data_grid -
redhat data_grid *
infinispan infinispan -
CVE-2023-5384

A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contains credentials (JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N 1.2 1.4
secalert@redhat.com 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
redhat jboss_data_grid -
redhat data_grid *
infinispan infinispan -
CVE-2025-5731

A flaw was found in Infinispan CLI. A sensitive password, decoded from a Base64-encoded Kubernetes secret, is processed in plaintext and included in a command string that may expose the data in an error message when a command is not found.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 6.2 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 2.5 3.6

Products Affected

Vendor Product Version
redhat jboss_enterprise_application_platform 7.0.0
redhat jboss_enterprise_application_platform_expansion_pack -
redhat jboss_enterprise_application_platform 8.0.0
redhat data_grid 8.5.4
infinispan infinispan -