CVE-2017-15089 – org.infinispan:infinispan-core

Package

Manager: maven
Name: org.infinispan:infinispan-core
Vulnerable Version: >=0 <9.2.0.cr1

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.03911 pctl0.87837

Details

Deserialization of Untrusted Data in Infinispan It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.

Metadata

Created: 2022-05-14T00:59:30Z
Modified: 2022-07-01T19:46:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-46r5-59fg-2fjc/GHSA-46r5-59fg-2fjc.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-46r5-59fg-2fjc
Finding: F096
Auto approve: 1