HIGH 8.8 Maven
Deserialization of Untrusted Data in Infinispan
GHSA-46r5-59fg-2fjc · CVE-2017-15089
Published · Modified
Description
It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2017-15089
- WEB https://github.com/infinispan/infinispan/pull/5639
- WEB https://github.com/infinispan/infinispan/commit/1deadcb1c74ea0337abd5382c0150b000f6b106f
- WEB https://github.com/infinispan/infinispan/commit/2944b0d1369a230bde88392b222921537c99331e
- WEB https://access.redhat.com/errata/RHSA-2018:0294
- WEB https://access.redhat.com/errata/RHSA-2018:0478
- WEB https://access.redhat.com/errata/RHSA-2018:0479
- WEB https://access.redhat.com/errata/RHSA-2018:0480
- WEB https://access.redhat.com/errata/RHSA-2018:0481
- WEB https://access.redhat.com/errata/RHSA-2018:0501
- WEB https://access.redhat.com/errata/RHSA-2019:1326
- PACKAGE https://github.com/infinispan/infinispan
Ready to move
Start Securing
Free, no credit card | First findings in minutes