Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1oNDd4LTJqMzctZnc1bc4AAiwa

Use of Externally-Controlled Input to Select Classes or Code in Infinispan

A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.

Permalink: https://github.com/advisories/GHSA-h47x-2j37-fw5m
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oNDd4LTJqMzctZnc1bc4AAiwa
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago

CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-h47x-2j37-fw5m, CVE-2019-10174
References:

• https://nvd.nist.gov/vuln/detail/CVE-2019-10174
• https://access.redhat.com/errata/RHSA-2020:0481
• https://access.redhat.com/errata/RHSA-2020:0727
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174
• https://security.netapp.com/advisory/ntap-20220210-0018/
• https://github.com/infinispan/infinispan/commit/5dbb05cfaca01a1a66732b82a0f5ba615ccbd214
• https://github.com/infinispan/infinispan/commit/7bdc2822ccf79127a488130239c49a5e944e3ca2
• https://github.com/advisories/GHSA-h47x-2j37-fw5m

Repository: https://github.com/infinispan/infinispan
Blast Radius: 27.1

Affected Packages