Infinispan: non-admins should not be able to get cache config via rest api
CVE-2023-3629

4.3MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Data Grid 8.4.4; Red Hat Jboss Enterprise Application Platform 6
Vendor: CVE Published:; 18 December 2023

Summary

A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.

References

https://access.redhat.com/errata/RHSA-2023:5396

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/security/cve/CVE-2023-3629

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2217926

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 18, 2023
Vulnerability Reserved
Jul 11, 2023

Collectors

NVD DatabaseMitre Database