CVE-2023-3628

Infispan: rest bulk ops don't check permissions

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.

Se encontró una falla en el REST de Infinispan. Los endpoints de lectura masiva no evalúan adecuadamente los permisos de usuario para la operación. Este problema podría permitir que un usuario autenticado acceda a información fuera de sus permisos previstos.

Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale. Data Grid 8.4.4 replaces Data Grid 8.4.3 and includes bug fixes and enhancements. Issues addressed include a denial of service vulnerability.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-07-11 CVE Reserved
2023-09-28 CVE Published
2024-11-23 CVE Updated
2025-05-08 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-304: Missing Critical Step in Authentication

CAPEC

References (4)

URL	Tag	Source
https://security.netapp.com/advisory/ntap-20240125-0004

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2023:5396	2024-01-25
https://access.redhat.com/security/cve/CVE-2023-3628	2023-09-28
https://bugzilla.redhat.com/show_bug.cgi?id=2217924	2023-09-28

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Jboss Data Grid Search vendor "Redhat" for product "Jboss Data Grid"				-		text-only		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				6 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6"		-		Affected
Redhat Search vendor "Redhat"		Data Grid Search vendor "Redhat" for product "Data Grid"				< 8.4.4 Search vendor "Redhat" for product "Data Grid" and version " < 8.4.4"		-		Affected
Infinispan Search vendor "Infinispan"		Infinispan Search vendor "Infinispan" for product "Infinispan"				-		-		Affected