cvelistv5 - cve-2017-2638

Source	URL	Tags
secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2017-1097.html	Third Party Advisory
secalert@redhat.com	http://www.securityfocus.com/bid/97964	Third Party Advisory, VDB Entry
secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638	Issue Tracking, Patch, Third Party Advisory
secalert@redhat.com	https://github.com/infinispan/infinispan/pull/4936/commits	Patch, Third Party Advisory
secalert@redhat.com	https://issues.jboss.org/browse/ISPN-7485	Third Party Advisory

Vendor	Product
[UNKNOWN]	infinispan

ghsa-mvxp-3j62-jqr6

Vulnerability from github

Published

2022-05-13 01:36

Modified

2023-07-31 22:13

Severity

6.5 (Medium) - CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Summary

Infinispan Rest API Does Not Enforce Auth Constraints

Details

It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.infinispan:infinispan-server-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-2638"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-31T22:13:08Z",
    "nvd_published_at": "2018-07-16T13:29:00Z",
    "severity": "MODERATE"
  },
  "details": "It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.",
  "id": "GHSA-mvxp-3j62-jqr6",
  "modified": "2023-07-31T22:13:08Z",
  "published": "2022-05-13T01:36:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2638"
    },
    {
      "type": "WEB",
      "url": "https://github.com/infinispan/infinispan/pull/4936"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638"
    },
    {
      "type": "WEB",
      "url": "https://issues.jboss.org/browse/ISPN-7485"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2017-1097.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97964"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Infinispan Rest API Does Not Enforce Auth Constraints"
}

rhsa-2017_1097

Vulnerability from csaf_redhat

Published

2017-04-19 16:23

Modified

2024-09-16 00:19

Summary

Red Hat Security Advisory: Red Hat JBoss Data Grid 7.1

Notes

Topic

Red Hat JBoss Data Grid 7.1 is now available for download from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Red Hat JBoss Data Grid is a distributed in-memory data grid, based on Infinispan. This release of Red Hat JBoss Data Grid 7.1.0 serves as a replacement for Red Hat JBoss Data Grid 7.0.0, and includes bug fixes and enhancements, which are documented in the Release Notes linked to in the References. Security Fix(es): * An infinite-loop vulnerability was discovered in Netty's OpenSslEngine handling of renegotiation. An attacker could exploit this flaw to cause a denial of service. Note: Netty is only vulnerable if renegotiation is enabled (default setting). (CVE-2016-4970) * It was found that the REST API in infinispan did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name. (CVE-2017-2638) The CVE-2017-2638 issue was discovered by Jonathan Mason (Red Hat).

Terms of Use

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat JBoss Data Grid 7.1 is now available for download from the Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Data Grid is a distributed in-memory data grid, based on Infinispan.\n\nThis release of Red Hat JBoss Data Grid 7.1.0 serves as a replacement for Red Hat JBoss Data Grid 7.0.0, and includes bug fixes and enhancements, which are documented in the Release Notes linked to in the References.\n\nSecurity Fix(es):\n\n* An infinite-loop vulnerability was discovered in Netty\u0027s OpenSslEngine handling of renegotiation. An attacker could exploit this flaw to cause a denial of service. Note: Netty is only vulnerable if renegotiation is enabled (default setting). (CVE-2016-4970)\n\n* It was found that the REST API in infinispan did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name. (CVE-2017-2638)\n\nThe CVE-2017-2638 issue was discovered by Jonathan Mason (Red Hat).",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2017:1097",
        "url": "https://access.redhat.com/errata/RHSA-2017:1097"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid\u0026downloadType=distributions\u0026version=7.1.0",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid\u0026downloadType=distributions\u0026version=7.1.0"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/",
        "url": "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/"
      },
      {
        "category": "external",
        "summary": "1343616",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1343616"
      },
      {
        "category": "external",
        "summary": "1428564",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1428564"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2017/rhsa-2017_1097.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Data Grid 7.1",
    "tracking": {
      "current_release_date": "2024-09-16T00:19:00+00:00",
      "generator": {
        "date": "2024-09-16T00:19:00+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "3.33.3"
        }
      },
      "id": "RHSA-2017:1097",
      "initial_release_date": "2017-04-19T16:23:10+00:00",
      "revision_history": [
        {
          "date": "2017-04-19T16:23:10+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2017-04-19T16:23:10+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-09-16T00:19:00+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Data Grid 7.1",
                "product": {
                  "name": "Red Hat JBoss Data Grid 7.1",
                  "product_id": "Red Hat JBoss Data Grid 7.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_data_grid:7.1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Data Grid"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2016-4970",
      "cwe": {
        "id": "CWE-835",
        "name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
      },
      "discovery_date": "2016-06-06T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1343616"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: Infinite loop vulnerability when handling renegotiation using SslProvider.OpenSsl",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Data Grid 7.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-4970"
        },
        {
          "category": "external",
          "summary": "RHBZ#1343616",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1343616"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-4970",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-4970"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-4970",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4970"
        }
      ],
      "release_date": "2016-06-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "The References section of this erratum contains a download link (you must log in to download the update).\n\nBefore applying the update, back up your existing Red Hat JBoss Data Grid installation (including databases, configuration files, and so on).",
          "product_ids": [
            "Red Hat JBoss Data Grid 7.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2017:1097"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss Data Grid 7.1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "netty: Infinite loop vulnerability when handling renegotiation using SslProvider.OpenSsl"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Jonathan Mason"
          ],
          "organization": "Red Hat",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2017-2638",
      "cwe": {
        "id": "CWE-306",
        "name": "Missing Authentication for Critical Function"
      },
      "discovery_date": "2017-03-01T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1428564"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that the REST API in infinispan did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "infinispan: auth bypass in REST api",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Data Grid 7.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2017-2638"
        },
        {
          "category": "external",
          "summary": "RHBZ#1428564",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1428564"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2017-2638",
          "url": "https://www.cve.org/CVERecord?id=CVE-2017-2638"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-2638",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2638"
        }
      ],
      "release_date": "2017-04-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "The References section of this erratum contains a download link (you must log in to download the update).\n\nBefore applying the update, back up your existing Red Hat JBoss Data Grid installation (including databases, configuration files, and so on).",
          "product_ids": [
            "Red Hat JBoss Data Grid 7.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2017:1097"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss Data Grid 7.1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "infinispan: auth bypass in REST api"
    }
  ]
}

gsd-2017-2638

Vulnerability from gsd

Modified

2023-12-13 01:21

Details

It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.

Aliases

CVE-2017-2638

Aliases

CVE-2017-2638

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2017-2638",
    "description": "It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.",
    "id": "GSD-2017-2638",
    "references": [
      "https://access.redhat.com/errata/RHSA-2017:1097"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2017-2638"
      ],
      "details": "It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.",
      "id": "GSD-2017-2638",
      "modified": "2023-12-13T01:21:05.772983Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2017-2638",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "infinispan",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Infinispan 9.0.0.Final"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "[UNKNOWN]"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name."
          }
        ]
      },
      "impact": {
        "cvss": [
          [
            {
              "vectorString": "6.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
              "version": "3.0"
            }
          ]
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-306"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638",
            "refsource": "CONFIRM",
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638"
          },
          {
            "name": "RHSA-2017:1097",
            "refsource": "REDHAT",
            "url": "http://rhn.redhat.com/errata/RHSA-2017-1097.html"
          },
          {
            "name": "https://issues.jboss.org/browse/ISPN-7485",
            "refsource": "CONFIRM",
            "url": "https://issues.jboss.org/browse/ISPN-7485"
          },
          {
            "name": "https://github.com/infinispan/infinispan/pull/4936/commits",
            "refsource": "CONFIRM",
            "url": "https://github.com/infinispan/infinispan/pull/4936/commits"
          },
          {
            "name": "97964",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/97964"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,9.0.0)",
          "affected_versions": "All versions before 9.0.0",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-287",
            "CWE-937"
          ],
          "date": "2023-07-31",
          "description": "It was found that the REST API in Infinispan before version 9.0.0 does not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.",
          "fixed_versions": [
            "9.0.0"
          ],
          "identifier": "CVE-2017-2638",
          "identifiers": [
            "GHSA-mvxp-3j62-jqr6",
            "CVE-2017-2638"
          ],
          "not_impacted": "All versions starting from 9.0.0",
          "package_slug": "maven/org.infinispan/infinispan-server-core",
          "pubdate": "2022-05-13",
          "solution": "Upgrade to version 9.0.0 or above.",
          "title": "Improper Authentication",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2017-2638",
            "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638",
            "https://issues.jboss.org/browse/ISPN-7485",
            "http://rhn.redhat.com/errata/RHSA-2017-1097.html",
            "http://www.securityfocus.com/bid/97964",
            "https://github.com/infinispan/infinispan/pull/4936",
            "https://github.com/advisories/GHSA-mvxp-3j62-jqr6"
          ],
          "uuid": "65b2395b-d968-4548-9ced-aaf5a3d78d25"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:infinispan:infinispan:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "9.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_data_grid:7.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2017-2638"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-287"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://issues.jboss.org/browse/ISPN-7485",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://issues.jboss.org/browse/ISPN-7485"
            },
            {
              "name": "https://github.com/infinispan/infinispan/pull/4936/commits",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/infinispan/infinispan/pull/4936/commits"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638",
              "refsource": "CONFIRM",
              "tags": [
                "Issue Tracking",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638"
            },
            {
              "name": "97964",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/97964"
            },
            {
              "name": "RHSA-2017:1097",
              "refsource": "REDHAT",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2017-1097.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 6.4,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 2.5
        }
      },
      "lastModifiedDate": "2019-10-09T23:27Z",
      "publishedDate": "2018-07-16T13:29Z"
    }
  }
}

Action not permitted

cve-2017-2638

Vulnerability from cvelistv5

ghsa-mvxp-3j62-jqr6

Vulnerability from github

rhsa-2017_1097

Vulnerability from csaf_redhat

gsd-2017-2638

Vulnerability from gsd

Tags