CVE-2017-2638
Vulnerability from cvelistv5
Published
2018-07-16 13:00
Modified
2024-08-05 14:02
Severity
Summary
It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.
References
Source | URL | Tags |
---|---|---|
secalert@redhat.com | http://rhn.redhat.com/errata/RHSA-2017-1097.html | Third Party Advisory |
secalert@redhat.com | http://www.securityfocus.com/bid/97964 | Third Party Advisory, VDB Entry |
secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638 | Issue Tracking, Patch, Third Party Advisory |
secalert@redhat.com | https://github.com/infinispan/infinispan/pull/4936/commits | Patch, Third Party Advisory |
secalert@redhat.com | https://issues.jboss.org/browse/ISPN-7485 | Third Party Advisory |
Impacted products
Vendor | Product |
---|---|
[UNKNOWN] | infinispan |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T14:02:06.903Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638" }, { "name": "RHSA-2017:1097", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2017-1097.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://issues.jboss.org/browse/ISPN-7485" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/infinispan/infinispan/pull/4936/commits" }, { "name": "97964", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/97964" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "infinispan", "vendor": "[UNKNOWN]", "versions": [ { "status": "affected", "version": "Infinispan 9.0.0.Final" } ] } ], "datePublic": "2017-04-19T00:00:00", "descriptions": [ { "lang": "en", "value": "It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name." } ], "metrics": [ { "cvssV3_0": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.0" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-306", "description": "CWE-306", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2018-07-17T09:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638" }, { "name": "RHSA-2017:1097", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2017-1097.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://issues.jboss.org/browse/ISPN-7485" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/infinispan/infinispan/pull/4936/commits" }, { "name": "97964", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/97964" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "secalert@redhat.com", "ID": "CVE-2017-2638", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "infinispan", "version": { "version_data": [ { "version_value": "Infinispan 9.0.0.Final" } ] } } ] }, "vendor_name": "[UNKNOWN]" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name." } ] }, "impact": { "cvss": [ [ { "vectorString": "6.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.0" } ] ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-306" } ] } ] }, "references": { "reference_data": [ { "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638" }, { "name": "RHSA-2017:1097", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2017-1097.html" }, { "name": "https://issues.jboss.org/browse/ISPN-7485", "refsource": "CONFIRM", "url": "https://issues.jboss.org/browse/ISPN-7485" }, { "name": "https://github.com/infinispan/infinispan/pull/4936/commits", "refsource": "CONFIRM", "url": "https://github.com/infinispan/infinispan/pull/4936/commits" }, { "name": "97964", "refsource": "BID", "url": "http://www.securityfocus.com/bid/97964" } ] } } } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2017-2638", "datePublished": "2018-07-16T13:00:00", "dateReserved": "2016-12-01T00:00:00", "dateUpdated": "2024-08-05T14:02:06.903Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2017-2638\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2018-07-16T13:29:00.223\",\"lastModified\":\"2019-10-09T23:27:00.257\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.\"},{\"lang\":\"es\",\"value\":\"Se ha descubierto que la API REST en Infinispan en versiones anteriores a la 9.0.0 no aplicaba correctamente las restricciones auth. Un atacante podr\u00eda emplear esta vulnerabilidad para leer o modificar datos en la cach\u00e9 por defecto o un nombre de cach\u00e9 conocido.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5},{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:N\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\",\"baseScore\":6.4},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]},{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:infinispan:infinispan:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"9.0.0\",\"matchCriteriaId\":\"4A8499D5-3044-41F2-91D8-5B97521FD35A\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_data_grid:7.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E8912FC8-FAC1-4503-85F7-3231675450FE\"}]}]}],\"references\":[{\"url\":\"http://rhn.redhat.com/errata/RHSA-2017-1097.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/97964\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/infinispan/infinispan/pull/4936/commits\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://issues.jboss.org/browse/ISPN-7485\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]}]}}" } }
Loading...