Описание
Use of Externally-Controlled Input to Select Classes or Code in Infinispan
A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2019-10174
- https://github.com/infinispan/infinispan/commit/5dbb05cfaca01a1a66732b82a0f5ba615ccbd214
- https://github.com/infinispan/infinispan/commit/7bdc2822ccf79127a488130239c49a5e944e3ca2
- https://access.redhat.com/errata/RHSA-2020:0481
- https://access.redhat.com/errata/RHSA-2020:0727
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174
- https://security.netapp.com/advisory/ntap-20220210-0018
Пакеты
org.infinispan:infinispan-core
<= 8.2.11.Final
8.2.12.Final
org.infinispan:infinispan-core
>= 9.0.0.Final, <= 9.4.16.Final
9.4.17.Final
Связанные уязвимости
A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.
A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.
Уязвимость метода открытого класса invokeAccessibly программного обеспечения для хранения данных Infinispan связана с применением входных данных с внешним управлением для выбора классов. Эксплуатация уязвимости может позволить нарушителю выполнить произвольный код