Описание
A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role.
Ссылки
- Issue TrackingThird Party Advisory
- Third Party Advisory
- Issue TrackingThird Party Advisory
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 11.0.6 (исключая)
cpe:2.3:a:infinispan:infinispan:*:*:*:*:*:*:*:*
Конфигурация 2
cpe:2.3:a:redhat:data_grid:8.0:*:*:*:*:*:*:*
Конфигурация 3
Одно из
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
EPSS
Процентиль: 40%
0.00183
Низкий
6.5 Medium
CVSS3
4.9 Medium
CVSS2
Дефекты
CWE-862
CWE-862
Связанные уязвимости
CVSS3: 5.9
redhat
около 5 лет назад
A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role.
CVSS3: 6.5
github
почти 4 года назад
Improper Access Control in infinispan-server-runtime
EPSS
Процентиль: 40%
0.00183
Низкий
6.5 Medium
CVSS3
4.9 Medium
CVSS2
Дефекты
CWE-862
CWE-862