Описание
Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain types of objects, achieving code execution and possible further attacks. Versions 9.0.3.Final, 9.1.7.Final, 8.2.10.Final, 9.2.2.Final, 9.3.0.Alpha1 are believed to be affected.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss Data Virtualization 6 | infinispan | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 6 | infinispan | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 7 | infinispan-core | Affected | ||
| Red Hat JBoss Fuse 6 | camel | Affected | ||
| Red Hat JBoss Fuse Service Works 6 | infinispan | Out of support scope | ||
| Red Hat JBoss Operations Network 3 | infinispan | Not affected | ||
| Red Hat OpenShift Application Runtimes | infinispan | Affected | ||
| Red Hat Single Sign-On 7 | infinispan | Not affected | ||
| Red Hat Data Grid | infinispan | Fixed | RHSA-2018:1833 | 12.06.2018 |
| Red Hat Fuse 7.5.0 | camel | Fixed | RHSA-2019:3892 | 14.11.2019 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain types of objects, achieving code execution and possible further attacks. Versions 9.0.3.Final, 9.1.7.Final, 8.2.10.Final, 9.2.2.Final, 9.3.0.Alpha1 are believed to be affected.
Deserialization of Untrusted Data in Infinispan
EPSS
7.5 High
CVSS3