CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5384 – Infinispan: credentials returned from configuration as clear text
https://notcve.org/view.php?id=CVE-2023-5384
18 Dec 2023 — A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contains credentials (JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration. Se encontró una falla en Infinispan. Al serializar la configuración de una caché en XML/JSON/YAML, que contiene credenciales (almacén JDBC con agrupación de conexiones, almacén remoto), las credenciales se devuelven en texto plano como parte de la configuración. • https://access.redhat.com/errata/RHSA-2023:7676 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 9.8EPSS: 94%CPEs: 444EXPL: 19CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
10 Oct 2023 — The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. ... • https://github.com/imabee101/CVE-2023-44487 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.4EPSS: 0%CPEs: 2EXPL: 0CVE-2023-4586 – Hotrod-client: hot rod client does not enable hostname validation when using tls that lead to a mitm attack
https://notcve.org/view.php?id=CVE-2023-4586
04 Oct 2023 — A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack. Se encontró una vulnerabilidad en el cliente Hot Rod. Este problema de seguridad ocurre porque el cliente Hot Rod no habilita la validación del nombre de host cuando usa TLS, lo que posiblemente resulte en un ataque de man-in-the-middle (MITM). An update for Red Hat Data Grid 8 is now available. • https://access.redhat.com/errata/RHSA-2023:7676 • CWE-20: Improper Input Validation CWE-295: Improper Certificate Validation •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5236 – Infinispan: circular reference on marshalling leads to dos
https://notcve.org/view.php?id=CVE-2023-5236
28 Sep 2023 — A flaw was found in Infinispan, which does not detect circular object references when unmarshalling. An authenticated attacker with sufficient permissions could insert a maliciously constructed object into the cache and use it to cause out of memory errors and achieve a denial of service. Se encontró una falla en Infinispan, que no detecta referencias de objetos circulares al desarmar. Un atacante autenticado con permisos suficientes podría insertar un objeto construido con fines malintencionados en la memo... • https://access.redhat.com/errata/RHSA-2023:5396 • CWE-1047: Modules with Circular Dependencies •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-3628 – Infispan: rest bulk ops don't check permissions
https://notcve.org/view.php?id=CVE-2023-3628
28 Sep 2023 — A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions. Se encontró una falla en el REST de Infinispan. Los endpoints de lectura masiva no evalúan adecuadamente los permisos de usuario para la operación. • https://access.redhat.com/errata/RHSA-2023:5396 • CWE-304: Missing Critical Step in Authentication •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-3629 – Infinispan: non-admins should not be able to get cache config via rest api
https://notcve.org/view.php?id=CVE-2023-3629
28 Sep 2023 — A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions. Se encontró una falla en REST de Infinispan: los endpoints de recuperación de caché no evalúan adecuadamente los permisos de administrador necesarios para la operación. Este problema podría permitir que un usuario autenticado acceda a información fuera de sus permi... • https://access.redhat.com/errata/RHSA-2023:5396 • CWE-304: Missing Critical Step in Authentication •
CVSS: 7.5EPSS: 73%CPEs: 72EXPL: 1CVE-2021-4104 – Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2
https://notcve.org/view.php?id=CVE-2021-4104
14 Dec 2021 — JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in Au... • https://github.com/cckuailong/log4shell_1.x • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •
CVSS: 5.3EPSS: 0%CPEs: 15EXPL: 0CVE-2021-3642 – wildfly-elytron: possible timing attack in ScramServer
https://notcve.org/view.php?id=CVE-2021-3642
05 Aug 2021 — A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality. Se ha detectado un fallo en Wildfly Elytron en versiones anteriores a 1.10.14.Final, en versiones anteriores a la 1.15.5.Final y en versiones anteriores a la 1.16.1.Final donde ScramServer puede ser susceptible a Timing Attack si está habilitado. La mayor amenaza d... • https://bugzilla.redhat.com/show_bug.cgi?id=1981407 • CWE-203: Observable Discrepancy •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-31917 – Infinispan: Authentication bypass on REST endpoints when using DIGEST authentication mechanism
https://notcve.org/view.php?id=CVE-2021-31917
27 May 2021 — A flaw was found in Red Hat DataGrid 8.x (8.0.0, 8.0.1, 8.1.0 and 8.1.1) and Infinispan (10.0.0 through 12.0.0). An attacker could bypass authentication on all REST endpoints when DIGEST is used as the authentication method. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Se ha encontrado un fallo en Red Hat DataGrid versiones 8.x (8.0.0, 8.0.1, 8.1.0 y 8.1.1) e Infinispan (10.0.0 a 12.0.0). Un atacante podría omitir la autenticación en tod... • https://access.redhat.com/security/cve/cve-2021-31917 • CWE-287: Improper Authentication •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2020-10771 – infinispan-server-rest: Actions with effects should not be permitted via GET requests using REST API
https://notcve.org/view.php?id=CVE-2020-10771
27 May 2021 — A flaw was found in Infinispan version 10, where it is possible to perform various actions that could have side effects using GET requests. This flaw allows an attacker to perform a cross-site request forgery (CSRF) attack. Se ha encontrado un fallo en Infinispan versión 10, donde es posible llevar a cabo varias acciones que podrían tener efectos secundarios utilizando peticiones GET. Este fallo permite a un atacante llevar a cabo un ataque de tipo cross-site request forgery (CSRF) A flaw was found in infin... • https://bugzilla.redhat.com/show_bug.cgi?id=1846293 • CWE-352: Cross-Site Request Forgery (CSRF) •