Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS00NnI1LTU5ZmctMmZqY84AATY0

Deserialization of Untrusted Data in Infinispan

It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.

Permalink: https://github.com/advisories/GHSA-46r5-59fg-2fjc
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00NnI1LTU5ZmctMmZqY84AATY0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: over 1 year ago


CVSS Score: 8.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-46r5-59fg-2fjc, CVE-2017-15089
References: Repository: https://github.com/infinispan/infinispan
Blast Radius: 31.8

Affected Packages

maven:org.infinispan:infinispan-core
Dependent packages: 543
Dependent repositories: 4,067
Downloads:
Affected Version Ranges: <= 9.2.0.Beta2
Fixed in: 9.2.0.CR1
All affected versions:
All unaffected versions: