RSS   Vulnerabilities for 'Infinispan'   RSS

2018-09-11
 
CVE-2016-0750

CWE-502
 

 
The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks.

 
2018-07-16
 
CVE-2017-2638

CWE-287
 

 
It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.

 
2018-05-15
 
CVE-2018-1131

CWE-502
 

 
Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain types of objects, achieving code execution and possible further attacks. Versions 9.0.3.Final, 9.1.7.Final, 8.2.10.Final, 9.2.2.Final, 9.3.0.Alpha1 are believed to be affected.

 
2018-02-15
 
CVE-2017-15089

CWE-502
 

 
It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.

 


Copyright 2019, cxsecurity.com

 

Back to Top