CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5384 – Infinispan: credentials returned from configuration as clear text
https://notcve.org/view.php?id=CVE-2023-5384
A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contains credentials (JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration. Se encontró una falla en Infinispan. Al serializar la configuración de una caché en XML/JSON/YAML, que contiene credenciales (almacén JDBC con agrupación de conexiones, almacén remoto), las credenciales se devuelven en texto plano como parte de la configuración. • https://access.redhat.com/errata/RHSA-2023:7676 https://access.redhat.com/security/cve/CVE-2023-5384 https://bugzilla.redhat.com/show_bug.cgi?id=2242156 https://security.netapp.com/advisory/ntap-20240125-0004 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 7.5EPSS: 81%CPEs: 444EXPL: 7CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. • https://github.com/imabee101/CVE-2023-44487 https://github.com/studiogangster/CVE-2023-44487 https://github.com/bcdannyboy/CVE-2023-44487 https://github.com/sigridou/CVE-2023-44487- https://github.com/ByteHackr/CVE-2023-44487 https://github.com/ReToCode/golang-CVE-2023-44487 http://www.openwall.com/lists/oss-security/2023/10/13/4 http://www.openwall.com/lists/oss-security/2023/10/13/9 http://www.openwall.com/lists/oss-security/2023/10/18/4 http://www. • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2023-3628 – Infispan: rest bulk ops don't check permissions
https://notcve.org/view.php?id=CVE-2023-3628
A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions. Se encontró una falla en el REST de Infinispan. Los endpoints de lectura masiva no evalúan adecuadamente los permisos de usuario para la operación. • https://access.redhat.com/errata/RHSA-2023:5396 https://access.redhat.com/security/cve/CVE-2023-3628 https://bugzilla.redhat.com/show_bug.cgi?id=2217924 https://security.netapp.com/advisory/ntap-20240125-0004 • CWE-304: Missing Critical Step in Authentication •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2023-3629 – Infinispan: non-admins should not be able to get cache config via rest api
https://notcve.org/view.php?id=CVE-2023-3629
A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions. Se encontró una falla en REST de Infinispan: los endpoints de recuperación de caché no evalúan adecuadamente los permisos de administrador necesarios para la operación. Este problema podría permitir que un usuario autenticado acceda a información fuera de sus permisos previstos. • https://access.redhat.com/errata/RHSA-2023:5396 https://access.redhat.com/security/cve/CVE-2023-3629 https://bugzilla.redhat.com/show_bug.cgi?id=2217926 https://security.netapp.com/advisory/ntap-20240125-0004 • CWE-304: Missing Critical Step in Authentication •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5236 – Infinispan: circular reference on marshalling leads to dos
https://notcve.org/view.php?id=CVE-2023-5236
A flaw was found in Infinispan, which does not detect circular object references when unmarshalling. An authenticated attacker with sufficient permissions could insert a maliciously constructed object into the cache and use it to cause out of memory errors and achieve a denial of service. Se encontró una falla en Infinispan, que no detecta referencias de objetos circulares al desarmar. Un atacante autenticado con permisos suficientes podría insertar un objeto construido con fines malintencionados en la memoria caché y utilizarlo para provocar errores de falta de memoria y lograr una denegación de servicio. • https://access.redhat.com/errata/RHSA-2023:5396 https://access.redhat.com/security/cve/CVE-2023-5236 https://bugzilla.redhat.com/show_bug.cgi?id=2240999 https://security.netapp.com/advisory/ntap-20240125-0004 • CWE-1047: Modules with Circular Dependencies •