Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1nZzU3LTU4N2YtaDV2Ns4AA429

Infinispan caches credentials in clear text

A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contains credentials (JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration.

Permalink: https://github.com/advisories/GHSA-gg57-587f-h5v6
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nZzU3LTU4N2YtaDV2Ns4AA429
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 11 months ago
Updated: 3 days ago


CVSS Score: 2.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Identifiers: GHSA-gg57-587f-h5v6, CVE-2023-5384
References: Repository: https://github.com/infinispan/infinispan
Blast Radius: 9.7

Affected Packages

maven:org.infinispan:infinispan-cachestore-jdbc
Dependent packages: 105
Dependent repositories: 1,030
Downloads:
Affected Version Ranges: < 14.0.25.Final, >= 15.0.0.Dev01, < 15.0.0.Dev07
Fixed in: 14.0.25.Final, 15.0.0.Dev07
All affected versions: 14.0.2-0.Final, 14.0.2-1.Final, 14.0.2-2.Final, 14.0.2-3.Final, 14.0.2-4.Final
All unaffected versions:
maven:org.infinispan:infinispan-cachestore-sql
Dependent packages: 6
Dependent repositories: 11
Downloads:
Affected Version Ranges: < 14.0.25.Final, >= 15.0.0.Dev01, < 15.0.0.Dev07
Fixed in: 14.0.25.Final, 15.0.0.Dev07
All affected versions: 14.0.2-0.Final, 14.0.2-1.Final, 14.0.2-2.Final, 14.0.2-3.Final, 14.0.2-4.Final
All unaffected versions:
maven:org.infinispan:infinispan-cachestore-remote
Dependent packages: 100
Dependent repositories: 653
Downloads:
Affected Version Ranges: < 14.0.25.Final, >= 15.0.0.Dev01, < 15.0.0.Dev07
Fixed in: 14.0.25.Final, 15.0.0.Dev07
All affected versions: 14.0.2-0.Final, 14.0.2-1.Final, 14.0.2-2.Final, 14.0.2-3.Final, 14.0.2-4.Final
All unaffected versions:
maven:org.infinispan:infinispan-cachestore-jdbc-common
Dependent packages: 10
Dependent repositories: 37
Downloads:
Affected Version Ranges: < 14.0.25.Final, >= 15.0.0.Dev01, < 15.0.0.Dev07
Fixed in: 14.0.25.Final, 15.0.0.Dev07
All affected versions: 14.0.2-0.Final, 14.0.2-1.Final, 14.0.2-2.Final, 14.0.2-3.Final, 14.0.2-4.Final
All unaffected versions:
maven:org.infinispan:infinispan-client-hotrod
Dependent packages: 229
Dependent repositories: 1,858
Downloads:
Affected Version Ranges: < 14.0.25.Final, >= 15.0.0.Dev01, < 15.0.0.Dev07
Fixed in: 14.0.25.Final, 15.0.0.Dev07
All affected versions: 14.0.2-0.Final, 14.0.2-1.Final, 14.0.2-2.Final, 14.0.2-3.Final, 14.0.2-4.Final
All unaffected versions:
maven:org.infinispan:infinispan-hotrod
Dependent packages: 1
Dependent repositories: 13
Downloads:
Affected Version Ranges: < 14.0.25.Final, >= 15.0.0.Dev01, < 15.0.0.Dev07
Fixed in: 14.0.25.Final, 15.0.0.Dev07
All affected versions: 14.0.2-0.Final, 14.0.2-1.Final, 14.0.2-2.Final, 14.0.2-3.Final, 14.0.2-4.Final
All unaffected versions:
maven:org.infinispan:infinispan-commons
Dependent packages: 206
Dependent repositories: 1,007
Downloads:
Affected Version Ranges: < 14.0.25.Final, >= 15.0.0.Dev01, < 15.0.0.Dev07
Fixed in: 14.0.25.Final, 15.0.0.Dev07
All affected versions: 14.0.2-0.Final, 14.0.2-1.Final, 14.0.2-2.Final, 14.0.2-3.Final, 14.0.2-4.Final
All unaffected versions:
maven:org.infinispan:infinispan-core
Dependent packages: 543
Dependent repositories: 4,067
Downloads:
Affected Version Ranges: < 14.0.25.Final, >= 15.0.0.Dev01, < 15.0.0.Dev07
Fixed in: 14.0.25.Final, 15.0.0.Dev07
All affected versions: 14.0.2-0.Final, 14.0.2-1.Final, 14.0.2-2.Final, 14.0.2-3.Final, 14.0.2-4.Final
All unaffected versions: