CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2020-25711 – infinispan: authorization check missing for server management operations
https://notcve.org/view.php?id=CVE-2020-25711
03 Dec 2020 — A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role. Se encontró un fallo en la API REST de infinispan versión 10, donde los permisos de autorización no son comprobados mientras se llevan a cabo algunas operaciones de administración del servidor. Cuando authz está habilitada, cualquier usuar... • https://bugzilla.redhat.com/show_bug.cgi?id=1897618 • CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-10158 – infinispan: Session fixation protection broken for Spring Session integration
https://notcve.org/view.php?id=CVE-2019-10158
02 Dec 2019 — A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling. Se encontró un fallo en Infinispan versiones hasta la versión 9.4.14.Final. Una implementación inapropiada de la protección de fijación de sesión en la integración de Spring Session puede resultar en un manejo de sesión incorrecto. Red Hat Data Grid is a distributed, in-memory, NoSQL datastore based on the Infin... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10158 • CWE-384: Session Fixation •
CVSS: 8.8EPSS: 0%CPEs: 14EXPL: 0CVE-2019-10174 – infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods
https://notcve.org/view.php?id=CVE-2019-10174
18 Nov 2019 — A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application. Se encontró una vulnerabilidad en Infinispan, de modo que el método invokeAccessibly de la clase pública ReflectionUtil permite que cualquier clase de aplicación invoque métodos privados en cualquier clase co... • https://access.redhat.com/errata/RHSA-2020:0481 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2018-1131 – infinispan: deserialization of data in XML and JSON transcoders
https://notcve.org/view.php?id=CVE-2018-1131
15 May 2018 — Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain types of objects, achieving code execution and possible further attacks. Versions 9.0.3.Final, 9.1.7.Final, 8.2.10.Final, 9.2.2.Final, 9.3.0.Alpha1 are believed to be affected. Infinispan permite la deserialización incorrecta de datos fiables mediante transcodificadore... • http://www.securityfocus.com/bid/104218 • CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 4%CPEs: 6EXPL: 0CVE-2017-15089 – infinispan: Unsafe deserialization of malicious object injected into data cache
https://notcve.org/view.php?id=CVE-2017-15089
12 Feb 2018 — It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks. Se ha descubierto que el cliente Hotrod en Infinispan, en versiones anteriores a la 9.2.0.CR1 lee de forma insegura los datos deserializados en la información de la caché. Un atacante autenticado podría inyectar un obj... • http://www.securitytracker.com/id/1040360 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-0750 – client: unchecked deserialization in marshaller util
https://notcve.org/view.php?id=CVE-2016-0750
17 Nov 2017 — The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks. El cliente de Java hotrod en infinispan en versiones anteriores a la 9.1.0.Final deserializa automáticamente el contenido de los mensajes bytearray en ciertos eventos. Un usuario malicioso podría explotar este error inyectando un obj... • http://www.securityfocus.com/bid/101910 • CWE-138: Improper Neutralization of Special Elements CWE-502: Deserialization of Untrusted Data •