CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2020-10771 – infinispan-server-rest: Actions with effects should not be permitted via GET requests using REST API
https://notcve.org/view.php?id=CVE-2020-10771
A flaw was found in Infinispan version 10, where it is possible to perform various actions that could have side effects using GET requests. This flaw allows an attacker to perform a cross-site request forgery (CSRF) attack. Se ha encontrado un fallo en Infinispan versión 10, donde es posible llevar a cabo varias acciones que podrían tener efectos secundarios utilizando peticiones GET. Este fallo permite a un atacante llevar a cabo un ataque de tipo cross-site request forgery (CSRF) A flaw was found in infinispan-server-rest version 10, where it is possible to perform various actions that could have side effects using GET requests. This flaw allows an attacker to perform a Cross-site request forgery (CSRF) attack. • https://bugzilla.redhat.com/show_bug.cgi?id=1846293 https://security.netapp.com/advisory/ntap-20210827-0003 https://access.redhat.com/security/cve/CVE-2020-10771 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-31917 – Infinispan: Authentication bypass on REST endpoints when using DIGEST authentication mechanism
https://notcve.org/view.php?id=CVE-2021-31917
A flaw was found in Red Hat DataGrid 8.x (8.0.0, 8.0.1, 8.1.0 and 8.1.1) and Infinispan (10.0.0 through 12.0.0). An attacker could bypass authentication on all REST endpoints when DIGEST is used as the authentication method. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Se ha encontrado un fallo en Red Hat DataGrid versiones 8.x (8.0.0, 8.0.1, 8.1.0 y 8.1.1) e Infinispan (10.0.0 a 12.0.0). Un atacante podría omitir la autenticación en todos los REST endpoints cuando es usado DIGEST como método de autenticación. • https://access.redhat.com/security/cve/cve-2021-31917 https://access.redhat.com/security/cve/CVE-2021-31917 https://bugzilla.redhat.com/show_bug.cgi?id=1955113 • CWE-287: Improper Authentication •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2020-25711 – infinispan: authorization check missing for server management operations
https://notcve.org/view.php?id=CVE-2020-25711
A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role. Se encontró un fallo en la API REST de infinispan versión 10, donde los permisos de autorización no son comprobados mientras se llevan a cabo algunas operaciones de administración del servidor. Cuando authz está habilitada, cualquier usuario con autenticación puede realizar operaciones como apagar el servidor sin el rol de ADMIN A flaw was found in the Infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role. • https://bugzilla.redhat.com/show_bug.cgi?id=1897618 https://security.netapp.com/advisory/ntap-20220210-0023 https://access.redhat.com/security/cve/CVE-2020-25711 • CWE-862: Missing Authorization •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-10746 – Infinispan: REST and HotRod APIs unsecured locally by default
https://notcve.org/view.php?id=CVE-2020-10746
A flaw was found in Infinispan (org.infinispan:infinispan-server-runtime) version 10, where it permits local access to controls via both REST and HotRod APIs. This flaw allows a user authenticated to the local machine to perform all operations on the caches, including the creation, update, deletion, and shutdown of the entire server. Se encontró un fallo en la versión 10 de Infinispan (org.infinispan:infinispan-server-runtime), que permite el acceso local a los controles a través de las API REST y HotRod. Este fallo permite a un usuario autentificado en la máquina local realizar todas las operaciones en las cachés, incluyendo la creación, actualización, eliminación y apagado de todo el servidor • https://bugzilla.redhat.com/show_bug.cgi?id=1835922 https://access.redhat.com/security/cve/CVE-2020-10746 • CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-10158 – infinispan: Session fixation protection broken for Spring Session integration
https://notcve.org/view.php?id=CVE-2019-10158
A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling. Se encontró un fallo en Infinispan versiones hasta la versión 9.4.14.Final. Una implementación inapropiada de la protección de fijación de sesión en la integración de Spring Session puede resultar en un manejo de sesión incorrecto. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10158 https://github.com/infinispan/infinispan/pull/6960 https://github.com/infinispan/infinispan/pull/7025 https://security.netapp.com/advisory/ntap-20231227-0009 https://access.redhat.com/security/cve/CVE-2019-10158 https://bugzilla.redhat.com/show_bug.cgi?id=1714359 • CWE-384: Session Fixation •