Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00NnI1LTU5ZmctMmZqY84AATY0
Deserialization of Untrusted Data in Infinispan
It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.
Permalink: https://github.com/advisories/GHSA-46r5-59fg-2fjcJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00NnI1LTU5ZmctMmZqY84AATY0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 8.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-46r5-59fg-2fjc, CVE-2017-15089
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-15089
- https://github.com/infinispan/infinispan/pull/5639
- https://access.redhat.com/errata/RHSA-2018:0294
- https://access.redhat.com/errata/RHSA-2018:0478
- https://access.redhat.com/errata/RHSA-2018:0479
- https://access.redhat.com/errata/RHSA-2018:0480
- https://access.redhat.com/errata/RHSA-2018:0481
- https://access.redhat.com/errata/RHSA-2018:0501
- https://access.redhat.com/errata/RHSA-2019:1326
- https://github.com/infinispan/infinispan/commit/1deadcb1c74ea0337abd5382c0150b000f6b106f
- https://github.com/infinispan/infinispan/commit/2944b0d1369a230bde88392b222921537c99331e
- https://github.com/advisories/GHSA-46r5-59fg-2fjc
Blast Radius: 31.8
Affected Packages
maven:org.infinispan:infinispan-core
Dependent packages: 543Dependent repositories: 4,067
Downloads:
Affected Version Ranges: <= 9.2.0.Beta2
Fixed in: 9.2.0.CR1
All affected versions:
All unaffected versions: