Vulnerability CVE-2017-15089


Published: 2018-02-15

Description:
It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.

Type:

CWE-502

(Deserialization of Untrusted Data)

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.5/10
6.4/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Infinispan -> Infinispan 

 References:
http://www.securitytracker.com/id/1040360
https://access.redhat.com/errata/RHSA-2018:0294
https://access.redhat.com/errata/RHSA-2018:0478
https://access.redhat.com/errata/RHSA-2018:0479
https://access.redhat.com/errata/RHSA-2018:0480
https://access.redhat.com/errata/RHSA-2018:0481
https://access.redhat.com/errata/RHSA-2018:0501
https://access.redhat.com/errata/RHSA-2019:1326
https://github.com/infinispan/infinispan/pull/5639

Copyright 2024, cxsecurity.com

 

Back to Top