CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5384 – Infinispan: credentials returned from configuration as clear text
https://notcve.org/view.php?id=CVE-2023-5384
18 Dec 2023 — A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contains credentials (JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration. Se encontró una falla en Infinispan. Al serializar la configuración de una caché en XML/JSON/YAML, que contiene credenciales (almacén JDBC con agrupación de conexiones, almacén remoto), las credenciales se devuelven en texto plano como parte de la configuración. • https://access.redhat.com/errata/RHSA-2023:7676 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 7.4EPSS: 0%CPEs: 2EXPL: 0CVE-2023-4586 – Hotrod-client: hot rod client does not enable hostname validation when using tls that lead to a mitm attack
https://notcve.org/view.php?id=CVE-2023-4586
04 Oct 2023 — A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack. Se encontró una vulnerabilidad en el cliente Hot Rod. Este problema de seguridad ocurre porque el cliente Hot Rod no habilita la validación del nombre de host cuando usa TLS, lo que posiblemente resulte en un ataque de man-in-the-middle (MITM). An update for Red Hat Data Grid 8 is now available. • https://access.redhat.com/errata/RHSA-2023:7676 • CWE-20: Improper Input Validation CWE-295: Improper Certificate Validation •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-3628 – Infispan: rest bulk ops don't check permissions
https://notcve.org/view.php?id=CVE-2023-3628
28 Sep 2023 — A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions. Se encontró una falla en el REST de Infinispan. Los endpoints de lectura masiva no evalúan adecuadamente los permisos de usuario para la operación. • https://access.redhat.com/errata/RHSA-2023:5396 • CWE-304: Missing Critical Step in Authentication •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-3629 – Infinispan: non-admins should not be able to get cache config via rest api
https://notcve.org/view.php?id=CVE-2023-3629
28 Sep 2023 — A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions. Se encontró una falla en REST de Infinispan: los endpoints de recuperación de caché no evalúan adecuadamente los permisos de administrador necesarios para la operación. Este problema podría permitir que un usuario autenticado acceda a información fuera de sus permi... • https://access.redhat.com/errata/RHSA-2023:5396 • CWE-304: Missing Critical Step in Authentication •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5236 – Infinispan: circular reference on marshalling leads to dos
https://notcve.org/view.php?id=CVE-2023-5236
28 Sep 2023 — A flaw was found in Infinispan, which does not detect circular object references when unmarshalling. An authenticated attacker with sufficient permissions could insert a maliciously constructed object into the cache and use it to cause out of memory errors and achieve a denial of service. Se encontró una falla en Infinispan, que no detecta referencias de objetos circulares al desarmar. Un atacante autenticado con permisos suficientes podría insertar un objeto construido con fines malintencionados en la memo... • https://access.redhat.com/errata/RHSA-2023:5396 • CWE-1047: Modules with Circular Dependencies •
CVSS: 5.3EPSS: 0%CPEs: 15EXPL: 0CVE-2021-3642 – wildfly-elytron: possible timing attack in ScramServer
https://notcve.org/view.php?id=CVE-2021-3642
05 Aug 2021 — A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality. Se ha detectado un fallo en Wildfly Elytron en versiones anteriores a 1.10.14.Final, en versiones anteriores a la 1.15.5.Final y en versiones anteriores a la 1.16.1.Final donde ScramServer puede ser susceptible a Timing Attack si está habilitado. La mayor amenaza d... • https://bugzilla.redhat.com/show_bug.cgi?id=1981407 • CWE-203: Observable Discrepancy •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2020-10771 – infinispan-server-rest: Actions with effects should not be permitted via GET requests using REST API
https://notcve.org/view.php?id=CVE-2020-10771
27 May 2021 — A flaw was found in Infinispan version 10, where it is possible to perform various actions that could have side effects using GET requests. This flaw allows an attacker to perform a cross-site request forgery (CSRF) attack. Se ha encontrado un fallo en Infinispan versión 10, donde es posible llevar a cabo varias acciones que podrían tener efectos secundarios utilizando peticiones GET. Este fallo permite a un atacante llevar a cabo un ataque de tipo cross-site request forgery (CSRF) A flaw was found in infin... • https://bugzilla.redhat.com/show_bug.cgi?id=1846293 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-31917 – Infinispan: Authentication bypass on REST endpoints when using DIGEST authentication mechanism
https://notcve.org/view.php?id=CVE-2021-31917
27 May 2021 — A flaw was found in Red Hat DataGrid 8.x (8.0.0, 8.0.1, 8.1.0 and 8.1.1) and Infinispan (10.0.0 through 12.0.0). An attacker could bypass authentication on all REST endpoints when DIGEST is used as the authentication method. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Se ha encontrado un fallo en Red Hat DataGrid versiones 8.x (8.0.0, 8.0.1, 8.1.0 y 8.1.1) e Infinispan (10.0.0 a 12.0.0). Un atacante podría omitir la autenticación en tod... • https://access.redhat.com/security/cve/cve-2021-31917 • CWE-287: Improper Authentication •
CVSS: 4.8EPSS: 0%CPEs: 9EXPL: 0CVE-2021-3536 – wildfly: XSS via admin console when creating roles in domain mode
https://notcve.org/view.php?id=CVE-2021-3536
20 May 2021 — A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity. Se encontró un fallo en Wildfly en versiones anteriores a 23.0.2.Final, mientras se crea un nuevo rol en el modo de dominio por medio de la consola de administración, es posible agregar una carga útil en el campo name, conllevando a una vulnerabilidad de tipo XSS. Esto af... • https://bugzilla.redhat.com/show_bug.cgi?id=1948001 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2020-25711 – infinispan: authorization check missing for server management operations
https://notcve.org/view.php?id=CVE-2020-25711
03 Dec 2020 — A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role. Se encontró un fallo en la API REST de infinispan versión 10, donde los permisos de autorización no son comprobados mientras se llevan a cabo algunas operaciones de administración del servidor. Cuando authz está habilitada, cualquier usuar... • https://bugzilla.redhat.com/show_bug.cgi?id=1897618 • CWE-862: Missing Authorization •