CVE-2023-4586

Hotrod-client: hot rod client does not enable hostname validation when using tls that lead to a mitm attack

Severity Score

7.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack.

Se encontró una vulnerabilidad en el cliente Hot Rod. Este problema de seguridad ocurre porque el cliente Hot Rod no habilita la validación del nombre de host cuando usa TLS, lo que posiblemente resulte en un ataque de man-in-the-middle (MITM).

An update for Red Hat Data Grid 8 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include a man-in-the-middle vulnerability.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-08-29 CVE Reserved
2023-10-04 CVE Published
2024-11-23 CVE Updated
2025-04-15 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation
CWE-295: Improper Certificate Validation

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2023:7676	2023-12-06
https://access.redhat.com/security/cve/CVE-2023-4586	2023-12-06
https://bugzilla.redhat.com/show_bug.cgi?id=2235564	2023-12-06

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Data Grid Search vendor "Redhat" for product "Data Grid"				8.0.0 Search vendor "Redhat" for product "Data Grid" and version "8.0.0"		-		Affected
Infinispan Search vendor "Infinispan"		Hot Rod Search vendor "Infinispan" for product "Hot Rod"				-		-		Affected