CVE-2023-5384 – Infinispan: credentials returned from configuration as clear text
https://notcve.org/view.php?id=CVE-2023-5384
A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contains credentials (JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration. Se encontró una falla en Infinispan. Al serializar la configuración de una caché en XML/JSON/YAML, que contiene credenciales (almacén JDBC con agrupación de conexiones, almacén remoto), las credenciales se devuelven en texto plano como parte de la configuración. • https://access.redhat.com/errata/RHSA-2023:7676 https://access.redhat.com/security/cve/CVE-2023-5384 https://bugzilla.redhat.com/show_bug.cgi?id=2242156 https://security.netapp.com/advisory/ntap-20240125-0004 • CWE-312: Cleartext Storage of Sensitive Information •
CVE-2023-3628 – Infispan: rest bulk ops don't check permissions
https://notcve.org/view.php?id=CVE-2023-3628
A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions. Se encontró una falla en el REST de Infinispan. Los endpoints de lectura masiva no evalúan adecuadamente los permisos de usuario para la operación. • https://access.redhat.com/errata/RHSA-2023:5396 https://access.redhat.com/security/cve/CVE-2023-3628 https://bugzilla.redhat.com/show_bug.cgi?id=2217924 https://security.netapp.com/advisory/ntap-20240125-0004 • CWE-304: Missing Critical Step in Authentication •
CVE-2023-3629 – Infinispan: non-admins should not be able to get cache config via rest api
https://notcve.org/view.php?id=CVE-2023-3629
A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions. Se encontró una falla en REST de Infinispan: los endpoints de recuperación de caché no evalúan adecuadamente los permisos de administrador necesarios para la operación. Este problema podría permitir que un usuario autenticado acceda a información fuera de sus permisos previstos. • https://access.redhat.com/errata/RHSA-2023:5396 https://access.redhat.com/security/cve/CVE-2023-3629 https://bugzilla.redhat.com/show_bug.cgi?id=2217926 https://security.netapp.com/advisory/ntap-20240125-0004 • CWE-304: Missing Critical Step in Authentication •
CVE-2023-5236 – Infinispan: circular reference on marshalling leads to dos
https://notcve.org/view.php?id=CVE-2023-5236
A flaw was found in Infinispan, which does not detect circular object references when unmarshalling. An authenticated attacker with sufficient permissions could insert a maliciously constructed object into the cache and use it to cause out of memory errors and achieve a denial of service. Se encontró una falla en Infinispan, que no detecta referencias de objetos circulares al desarmar. Un atacante autenticado con permisos suficientes podría insertar un objeto construido con fines malintencionados en la memoria caché y utilizarlo para provocar errores de falta de memoria y lograr una denegación de servicio. • https://access.redhat.com/errata/RHSA-2023:5396 https://access.redhat.com/security/cve/CVE-2023-5236 https://bugzilla.redhat.com/show_bug.cgi?id=2240999 https://security.netapp.com/advisory/ntap-20240125-0004 • CWE-1047: Modules with Circular Dependencies •
CVE-2020-10771 – infinispan-server-rest: Actions with effects should not be permitted via GET requests using REST API
https://notcve.org/view.php?id=CVE-2020-10771
A flaw was found in Infinispan version 10, where it is possible to perform various actions that could have side effects using GET requests. This flaw allows an attacker to perform a cross-site request forgery (CSRF) attack. Se ha encontrado un fallo en Infinispan versión 10, donde es posible llevar a cabo varias acciones que podrían tener efectos secundarios utilizando peticiones GET. Este fallo permite a un atacante llevar a cabo un ataque de tipo cross-site request forgery (CSRF) A flaw was found in infinispan-server-rest version 10, where it is possible to perform various actions that could have side effects using GET requests. This flaw allows an attacker to perform a Cross-site request forgery (CSRF) attack. • https://bugzilla.redhat.com/show_bug.cgi?id=1846293 https://security.netapp.com/advisory/ntap-20210827-0003 https://access.redhat.com/security/cve/CVE-2020-10771 • CWE-352: Cross-Site Request Forgery (CSRF) •