// For flags

CVE-2018-1131

infinispan: deserialization of data in XML and JSON transcoders

Severity Score

8.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain types of objects, achieving code execution and possible further attacks. Versions 9.0.3.Final, 9.1.7.Final, 8.2.10.Final, 9.2.2.Final, 9.3.0.Alpha1 are believed to be affected.

Infinispan permite la deserialización incorrecta de datos fiables mediante transcodificadores XML y JSON en ciertas configuraciones del servidor. Un usuario con acceso autenticado al servidor podría enviar un objeto malicioso a una caché configurada para aceptar ciertos tipos de objetos, logrando la ejecución de código y, posiblemente, más ataques. Se cree que las versiones 9.0.3.Final, 9.1.7.Final, 8.2.10.Final, 9.2.2.Final y 9.3.0.Alpha1 se han visto afectadas.

Red Hat JBoss Data Grid is a distributed in-memory data grid based on Infinispan. This release of Red Hat JBoss Data Grid 7.2.1 serves as a replacement for Red Hat JBoss Data Grid 7.2.0 and includes bug fixes and enhancements. You can find a link to the Release Notes that describe these bug fixes and enhancements in the References section of this erratum. Issues addressed include a deserialization vulnerability.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2017-12-04 CVE Reserved
  • 2018-05-15 CVE Published
  • 2024-09-16 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data
  • CWE-502: Deserialization of Untrusted Data
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Infinispan
Search vendor "Infinispan"
 Infinispan
Search vendor "Infinispan" for product "Infinispan"
 8.2.10
Search vendor "Infinispan" for product "Infinispan" and version "8.2.10"
-
Affected
Infinispan
Search vendor "Infinispan"
 Infinispan
Search vendor "Infinispan" for product "Infinispan"
 9.0.3
Search vendor "Infinispan" for product "Infinispan" and version "9.0.3"
-
Affected
Infinispan
Search vendor "Infinispan"
 Infinispan
Search vendor "Infinispan" for product "Infinispan"
 9.1.7
Search vendor "Infinispan" for product "Infinispan" and version "9.1.7"
-
Affected
Infinispan
Search vendor "Infinispan"
 Infinispan
Search vendor "Infinispan" for product "Infinispan"
 9.2.2
Search vendor "Infinispan" for product "Infinispan" and version "9.2.2"
-
Affected
Infinispan
Search vendor "Infinispan"
 Infinispan
Search vendor "Infinispan" for product "Infinispan"
 9.3.0
Search vendor "Infinispan" for product "Infinispan" and version "9.3.0"
alpha1
Affected
Redhat
Search vendor "Redhat"
 Jboss Data Grid
Search vendor "Redhat" for product "Jboss Data Grid"
 7.2
Search vendor "Redhat" for product "Jboss Data Grid" and version "7.2"
-
Affected