Sensitive Information Exposure in Infinispan via JGroups with JDBC_PING
CVE-2025-0736

5.5MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Data Grid 8
Vendor: CVE Published:; 28 January 2025

Summary

A flaw exists in Infinispan's implementation when using JGroups in conjunction with JDBC_PING. This vulnerability occurs when applications inadvertently expose sensitive details, including configuration information or credentials, through logging mechanisms. As a result, this could allow unauthorized access by malicious actors, potentially leading to exploitation of the affected systems. It is critical for users of Infinispan to review logging configurations and limit logging of sensitive data to mitigate risks associated with this exposure.

References

https://access.redhat.com/security/cve/CVE-2025-0736

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2342233

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 28, 2025
Vulnerability Reserved
Jan 27, 2025

Credit

Red Hat would like to thank Vika Vorkin for reporting this issue.