Infispan: rest bulk ops don't check permissions
CVE-2023-3628

6.5MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Data Grid 8.4.4; Red Hat Jboss Enterprise Application Platform 6
Vendor: CVE Published:; 18 December 2023

What is CVE-2023-3628?

A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.

References

https://access.redhat.com/errata/RHSA-2023:5396

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/security/cve/CVE-2023-3628

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2217924

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 18, 2023
Vulnerability Reserved
Jul 11, 2023

Red Hat

What is CVE-2023-3628?

References

CVSS V3.1

Timeline