Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Infinispan Subscribe
Filtered by product Infinispan
Total 7 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-25711 3 Infinispan, Netapp, Redhat 3 Infinispan, Active Iq Unified Manager, Data Grid 2022-11-09 4.9 MEDIUM 6.5 MEDIUM
A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role.
CVE-2019-10174 3 Infinispan, Netapp, Redhat 8 Infinispan, Active Iq Unified Manager, Enterprise Linux and 5 more 2022-02-19 6.5 MEDIUM 8.8 HIGH
A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.
CVE-2019-10158 2 Infinispan, Redhat 2 Infinispan, Jboss Data Grid 2020-01-10 7.5 HIGH 9.8 CRITICAL
A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling.
CVE-2018-1131 2 Infinispan, Redhat 2 Infinispan, Jboss Data Grid 2019-10-09 6.5 MEDIUM 8.8 HIGH
Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain types of objects, achieving code execution and possible further attacks. Versions 9.0.3.Final, 9.1.7.Final, 8.2.10.Final, 9.2.2.Final, 9.3.0.Alpha1 are believed to be affected.
CVE-2017-2638 2 Infinispan, Redhat 2 Infinispan, Jboss Data Grid 2019-10-09 6.4 MEDIUM 6.5 MEDIUM
It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.
CVE-2016-0750 1 Infinispan 1 Infinispan 2019-10-09 6.5 MEDIUM 8.8 HIGH
The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks.
CVE-2017-15089 1 Infinispan 1 Infinispan 2019-06-04 6.5 MEDIUM 8.8 HIGH
It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.