Filtered by vendor Infinispan
Subscribe
Search
Total
6 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-4586 | 2 Infinispan, Redhat | 2 Hot Rod, Data Grid | 2023-12-06 | N/A | 7.4 HIGH |
| A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack. | |||||
| CVE-2019-10174 | 3 Infinispan, Netapp, Redhat | 8 Infinispan, Active Iq Unified Manager, Enterprise Linux and 5 more | 2022-02-20 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application. | |||||
| CVE-2020-10771 | 3 Infinispan, Netapp, Redhat | 3 Infinispan-server-rest, Oncommand Insight, Data Grid | 2021-11-30 | 5.8 MEDIUM | 7.1 HIGH |
| A flaw was found in Infinispan version 10, where it is possible to perform various actions that could have side effects using GET requests. This flaw allows an attacker to perform a cross-site request forgery (CSRF) attack. | |||||
| CVE-2018-1131 | 2 Infinispan, Redhat | 2 Infinispan, Jboss Data Grid | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain types of objects, achieving code execution and possible further attacks. Versions 9.0.3.Final, 9.1.7.Final, 8.2.10.Final, 9.2.2.Final, 9.3.0.Alpha1 are believed to be affected. | |||||
| CVE-2016-0750 | 1 Infinispan | 1 Infinispan | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks. | |||||
| CVE-2017-15089 | 1 Infinispan | 1 Infinispan | 2019-06-04 | 6.5 MEDIUM | 8.8 HIGH |
| It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks. | |||||