cvelistv5 - cve-2017-2638

CVE-2017-2638 (GCVE-0-2017-2638)

Vulnerability from cvelistv5 – Published: 2018-07-16 13:00 – Updated: 2024-08-05 14:02

Summary

It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-306

Assigner

redhat

References

URL

Tags

	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2…	x_refsource_CONFIRM
	http://rhn.redhat.com/errata/RHSA-2017-1097.html	vendor-advisoryx_refsource_REDHAT
	https://issues.jboss.org/browse/ISPN-7485	x_refsource_CONFIRM
	https://github.com/infinispan/infinispan/pull/493…	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/97964	vdb-entryx_refsource_BID

Impacted products

	Vendor	Product	Version
	[UNKNOWN]	infinispan	Affected: Infinispan 9.0.0.Final

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T14:02:06.903Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638"
          },
          {
            "name": "RHSA-2017:1097",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2017-1097.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://issues.jboss.org/browse/ISPN-7485"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/infinispan/infinispan/pull/4936/commits"
          },
          {
            "name": "97964",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/97964"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "infinispan",
          "vendor": "[UNKNOWN]",
          "versions": [
            {
              "status": "affected",
              "version": "Infinispan 9.0.0.Final"
            }
          ]
        }
      ],
      "datePublic": "2017-04-19T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-07-17T09:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638"
        },
        {
          "name": "RHSA-2017:1097",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2017-1097.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://issues.jboss.org/browse/ISPN-7485"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/infinispan/infinispan/pull/4936/commits"
        },
        {
          "name": "97964",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/97964"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2017-2638",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "infinispan",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Infinispan 9.0.0.Final"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "[UNKNOWN]"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "6.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-306"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638"
            },
            {
              "name": "RHSA-2017:1097",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2017-1097.html"
            },
            {
              "name": "https://issues.jboss.org/browse/ISPN-7485",
              "refsource": "CONFIRM",
              "url": "https://issues.jboss.org/browse/ISPN-7485"
            },
            {
              "name": "https://github.com/infinispan/infinispan/pull/4936/commits",
              "refsource": "CONFIRM",
              "url": "https://github.com/infinispan/infinispan/pull/4936/commits"
            },
            {
              "name": "97964",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/97964"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2017-2638",
    "datePublished": "2018-07-16T13:00:00",
    "dateReserved": "2016-12-01T00:00:00",
    "dateUpdated": "2024-08-05T14:02:06.903Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:infinispan:infinispan:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"9.0.0\", \"matchCriteriaId\": \"4A8499D5-3044-41F2-91D8-5B97521FD35A\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_data_grid:7.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E8912FC8-FAC1-4503-85F7-3231675450FE\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.\"}, {\"lang\": \"es\", \"value\": \"Se ha descubierto que la API REST en Infinispan en versiones anteriores a la 9.0.0 no aplicaba correctamente las restricciones auth. Un atacante podr\\u00eda emplear esta vulnerabilidad para leer o modificar datos en la cach\\u00e9 por defecto o un nombre de cach\\u00e9 conocido.\"}]",
      "id": "CVE-2017-2638",
      "lastModified": "2024-11-21T03:23:53.103",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"secalert@redhat.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 2.5}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 2.5}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:N\", \"baseScore\": 6.4, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2018-07-16T13:29:00.223",
      "references": "[{\"url\": \"http://rhn.redhat.com/errata/RHSA-2017-1097.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/97964\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Issue Tracking\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/infinispan/infinispan/pull/4936/commits\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://issues.jboss.org/browse/ISPN-7485\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2017-1097.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/97964\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/infinispan/infinispan/pull/4936/commits\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://issues.jboss.org/browse/ISPN-7485\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "secalert@redhat.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"secalert@redhat.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-306\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-287\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2017-2638\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2018-07-16T13:29:00.223\",\"lastModified\":\"2024-11-21T03:23:53.103\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.\"},{\"lang\":\"es\",\"value\":\"Se ha descubierto que la API REST en Infinispan en versiones anteriores a la 9.0.0 no aplicaba correctamente las restricciones auth. Un atacante podr\u00eda emplear esta vulnerabilidad para leer o modificar datos en la cach\u00e9 por defecto o un nombre de cach\u00e9 conocido.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:N\",\"baseScore\":6.4,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:infinispan:infinispan:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"9.0.0\",\"matchCriteriaId\":\"4A8499D5-3044-41F2-91D8-5B97521FD35A\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_data_grid:7.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E8912FC8-FAC1-4503-85F7-3231675450FE\"}]}]}],\"references\":[{\"url\":\"http://rhn.redhat.com/errata/RHSA-2017-1097.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/97964\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/infinispan/infinispan/pull/4936/commits\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://issues.jboss.org/browse/ISPN-7485\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2017-1097.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/97964\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/infinispan/infinispan/pull/4936/commits\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://issues.jboss.org/browse/ISPN-7485\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}

RHSA-2017:1097

Vulnerability from csaf_redhat - Published: 2017-04-19 16:23 - Updated: 2025-11-21 18:00

Summary

Red Hat Security Advisory: Red Hat JBoss Data Grid 7.1

Notes

Topic

Red Hat JBoss Data Grid 7.1 is now available for download from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Red Hat JBoss Data Grid is a distributed in-memory data grid, based on Infinispan. This release of Red Hat JBoss Data Grid 7.1.0 serves as a replacement for Red Hat JBoss Data Grid 7.0.0, and includes bug fixes and enhancements, which are documented in the Release Notes linked to in the References. Security Fix(es): * An infinite-loop vulnerability was discovered in Netty's OpenSslEngine handling of renegotiation. An attacker could exploit this flaw to cause a denial of service. Note: Netty is only vulnerable if renegotiation is enabled (default setting). (CVE-2016-4970) * It was found that the REST API in infinispan did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name. (CVE-2017-2638) The CVE-2017-2638 issue was discovered by Jonathan Mason (Red Hat).

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat JBoss Data Grid 7.1 is now available for download from the Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Data Grid is a distributed in-memory data grid, based on Infinispan.\n\nThis release of Red Hat JBoss Data Grid 7.1.0 serves as a replacement for Red Hat JBoss Data Grid 7.0.0, and includes bug fixes and enhancements, which are documented in the Release Notes linked to in the References.\n\nSecurity Fix(es):\n\n* An infinite-loop vulnerability was discovered in Netty\u0027s OpenSslEngine handling of renegotiation. An attacker could exploit this flaw to cause a denial of service. Note: Netty is only vulnerable if renegotiation is enabled (default setting). (CVE-2016-4970)\n\n* It was found that the REST API in infinispan did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name. (CVE-2017-2638)\n\nThe CVE-2017-2638 issue was discovered by Jonathan Mason (Red Hat).",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2017:1097",
        "url": "https://access.redhat.com/errata/RHSA-2017:1097"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid\u0026downloadType=distributions\u0026version=7.1.0",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid\u0026downloadType=distributions\u0026version=7.1.0"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/",
        "url": "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/"
      },
      {
        "category": "external",
        "summary": "1343616",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1343616"
      },
      {
        "category": "external",
        "summary": "1428564",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1428564"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_1097.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Data Grid 7.1",
    "tracking": {
      "current_release_date": "2025-11-21T18:00:17+00:00",
      "generator": {
        "date": "2025-11-21T18:00:17+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2017:1097",
      "initial_release_date": "2017-04-19T16:23:10+00:00",
      "revision_history": [
        {
          "date": "2017-04-19T16:23:10+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2017-04-19T16:23:10+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T18:00:17+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Data Grid 7.1",
                "product": {
                  "name": "Red Hat JBoss Data Grid 7.1",
                  "product_id": "Red Hat JBoss Data Grid 7.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_data_grid:7.1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Data Grid"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2016-4970",
      "cwe": {
        "id": "CWE-835",
        "name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
      },
      "discovery_date": "2016-06-06T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1343616"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: Infinite loop vulnerability when handling renegotiation using SslProvider.OpenSsl",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Data Grid 7.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-4970"
        },
        {
          "category": "external",
          "summary": "RHBZ#1343616",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1343616"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-4970",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-4970"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-4970",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4970"
        }
      ],
      "release_date": "2016-06-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2017-04-19T16:23:10+00:00",
          "details": "The References section of this erratum contains a download link (you must log in to download the update).\n\nBefore applying the update, back up your existing Red Hat JBoss Data Grid installation (including databases, configuration files, and so on).",
          "product_ids": [
            "Red Hat JBoss Data Grid 7.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2017:1097"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss Data Grid 7.1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "netty: Infinite loop vulnerability when handling renegotiation using SslProvider.OpenSsl"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Jonathan Mason"
          ],
          "organization": "Red Hat",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2017-2638",
      "cwe": {
        "id": "CWE-306",
        "name": "Missing Authentication for Critical Function"
      },
      "discovery_date": "2017-03-01T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1428564"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that the REST API in infinispan did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "infinispan: auth bypass in REST api",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Data Grid 7.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2017-2638"
        },
        {
          "category": "external",
          "summary": "RHBZ#1428564",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1428564"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2017-2638",
          "url": "https://www.cve.org/CVERecord?id=CVE-2017-2638"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-2638",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2638"
        }
      ],
      "release_date": "2017-04-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2017-04-19T16:23:10+00:00",
          "details": "The References section of this erratum contains a download link (you must log in to download the update).\n\nBefore applying the update, back up your existing Red Hat JBoss Data Grid installation (including databases, configuration files, and so on).",
          "product_ids": [
            "Red Hat JBoss Data Grid 7.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2017:1097"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss Data Grid 7.1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "infinispan: auth bypass in REST api"
    }
  ]
}

RHSA-2017_1097

Vulnerability from csaf_redhat - Published: 2017-04-19 16:23 - Updated: 2024-11-22 11:05

Summary

Red Hat Security Advisory: Red Hat JBoss Data Grid 7.1

Notes

Topic

Details

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat JBoss Data Grid 7.1 is now available for download from the Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Data Grid is a distributed in-memory data grid, based on Infinispan.\n\nThis release of Red Hat JBoss Data Grid 7.1.0 serves as a replacement for Red Hat JBoss Data Grid 7.0.0, and includes bug fixes and enhancements, which are documented in the Release Notes linked to in the References.\n\nSecurity Fix(es):\n\n* An infinite-loop vulnerability was discovered in Netty\u0027s OpenSslEngine handling of renegotiation. An attacker could exploit this flaw to cause a denial of service. Note: Netty is only vulnerable if renegotiation is enabled (default setting). (CVE-2016-4970)\n\n* It was found that the REST API in infinispan did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name. (CVE-2017-2638)\n\nThe CVE-2017-2638 issue was discovered by Jonathan Mason (Red Hat).",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2017:1097",
        "url": "https://access.redhat.com/errata/RHSA-2017:1097"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid\u0026downloadType=distributions\u0026version=7.1.0",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid\u0026downloadType=distributions\u0026version=7.1.0"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/",
        "url": "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/"
      },
      {
        "category": "external",
        "summary": "1343616",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1343616"
      },
      {
        "category": "external",
        "summary": "1428564",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1428564"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_1097.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Data Grid 7.1",
    "tracking": {
      "current_release_date": "2024-11-22T11:05:33+00:00",
      "generator": {
        "date": "2024-11-22T11:05:33+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2017:1097",
      "initial_release_date": "2017-04-19T16:23:10+00:00",
      "revision_history": [
        {
          "date": "2017-04-19T16:23:10+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2017-04-19T16:23:10+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T11:05:33+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Data Grid 7.1",
                "product": {
                  "name": "Red Hat JBoss Data Grid 7.1",
                  "product_id": "Red Hat JBoss Data Grid 7.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_data_grid:7.1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Data Grid"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2016-4970",
      "cwe": {
        "id": "CWE-835",
        "name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
      },
      "discovery_date": "2016-06-06T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1343616"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: Infinite loop vulnerability when handling renegotiation using SslProvider.OpenSsl",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Data Grid 7.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-4970"
        },
        {
          "category": "external",
          "summary": "RHBZ#1343616",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1343616"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-4970",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-4970"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-4970",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4970"
        }
      ],
      "release_date": "2016-06-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2017-04-19T16:23:10+00:00",
          "details": "The References section of this erratum contains a download link (you must log in to download the update).\n\nBefore applying the update, back up your existing Red Hat JBoss Data Grid installation (including databases, configuration files, and so on).",
          "product_ids": [
            "Red Hat JBoss Data Grid 7.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2017:1097"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss Data Grid 7.1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "netty: Infinite loop vulnerability when handling renegotiation using SslProvider.OpenSsl"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Jonathan Mason"
          ],
          "organization": "Red Hat",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2017-2638",
      "cwe": {
        "id": "CWE-306",
        "name": "Missing Authentication for Critical Function"
      },
      "discovery_date": "2017-03-01T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1428564"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that the REST API in infinispan did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "infinispan: auth bypass in REST api",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Data Grid 7.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2017-2638"
        },
        {
          "category": "external",
          "summary": "RHBZ#1428564",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1428564"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2017-2638",
          "url": "https://www.cve.org/CVERecord?id=CVE-2017-2638"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-2638",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2638"
        }
      ],
      "release_date": "2017-04-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2017-04-19T16:23:10+00:00",
          "details": "The References section of this erratum contains a download link (you must log in to download the update).\n\nBefore applying the update, back up your existing Red Hat JBoss Data Grid installation (including databases, configuration files, and so on).",
          "product_ids": [
            "Red Hat JBoss Data Grid 7.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2017:1097"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss Data Grid 7.1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "infinispan: auth bypass in REST api"
    }
  ]
}

GHSA-MVXP-3J62-JQR6

Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2023-07-31 22:13

Summary

Infinispan Rest API Does Not Enforce Auth Constraints

Details

Severity ?

6.5 (Medium)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.infinispan:infinispan-server-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-2638"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-31T22:13:08Z",
    "nvd_published_at": "2018-07-16T13:29:00Z",
    "severity": "MODERATE"
  },
  "details": "It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.",
  "id": "GHSA-mvxp-3j62-jqr6",
  "modified": "2023-07-31T22:13:08Z",
  "published": "2022-05-13T01:36:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2638"
    },
    {
      "type": "WEB",
      "url": "https://github.com/infinispan/infinispan/pull/4936"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638"
    },
    {
      "type": "WEB",
      "url": "https://issues.jboss.org/browse/ISPN-7485"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2017-1097.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97964"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Infinispan Rest API Does Not Enforce Auth Constraints"
}

GSD-2017-2638

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2017-2638

Aliases

CVE-2017-2638

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2017-2638",
    "description": "It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.",
    "id": "GSD-2017-2638",
    "references": [
      "https://access.redhat.com/errata/RHSA-2017:1097"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2017-2638"
      ],
      "details": "It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.",
      "id": "GSD-2017-2638",
      "modified": "2023-12-13T01:21:05.772983Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2017-2638",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "infinispan",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Infinispan 9.0.0.Final"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "[UNKNOWN]"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name."
          }
        ]
      },
      "impact": {
        "cvss": [
          [
            {
              "vectorString": "6.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
              "version": "3.0"
            }
          ]
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-306"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638",
            "refsource": "CONFIRM",
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638"
          },
          {
            "name": "RHSA-2017:1097",
            "refsource": "REDHAT",
            "url": "http://rhn.redhat.com/errata/RHSA-2017-1097.html"
          },
          {
            "name": "https://issues.jboss.org/browse/ISPN-7485",
            "refsource": "CONFIRM",
            "url": "https://issues.jboss.org/browse/ISPN-7485"
          },
          {
            "name": "https://github.com/infinispan/infinispan/pull/4936/commits",
            "refsource": "CONFIRM",
            "url": "https://github.com/infinispan/infinispan/pull/4936/commits"
          },
          {
            "name": "97964",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/97964"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,9.0.0)",
          "affected_versions": "All versions before 9.0.0",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-287",
            "CWE-937"
          ],
          "date": "2023-07-31",
          "description": "It was found that the REST API in Infinispan before version 9.0.0 does not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.",
          "fixed_versions": [
            "9.0.0"
          ],
          "identifier": "CVE-2017-2638",
          "identifiers": [
            "GHSA-mvxp-3j62-jqr6",
            "CVE-2017-2638"
          ],
          "not_impacted": "All versions starting from 9.0.0",
          "package_slug": "maven/org.infinispan/infinispan-server-core",
          "pubdate": "2022-05-13",
          "solution": "Upgrade to version 9.0.0 or above.",
          "title": "Improper Authentication",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2017-2638",
            "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638",
            "https://issues.jboss.org/browse/ISPN-7485",
            "http://rhn.redhat.com/errata/RHSA-2017-1097.html",
            "http://www.securityfocus.com/bid/97964",
            "https://github.com/infinispan/infinispan/pull/4936",
            "https://github.com/advisories/GHSA-mvxp-3j62-jqr6"
          ],
          "uuid": "65b2395b-d968-4548-9ced-aaf5a3d78d25"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:infinispan:infinispan:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "9.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_data_grid:7.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2017-2638"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-287"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://issues.jboss.org/browse/ISPN-7485",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://issues.jboss.org/browse/ISPN-7485"
            },
            {
              "name": "https://github.com/infinispan/infinispan/pull/4936/commits",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/infinispan/infinispan/pull/4936/commits"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638",
              "refsource": "CONFIRM",
              "tags": [
                "Issue Tracking",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638"
            },
            {
              "name": "97964",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/97964"
            },
            {
              "name": "RHSA-2017:1097",
              "refsource": "REDHAT",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2017-1097.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 6.4,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 2.5
        }
      },
      "lastModifiedDate": "2019-10-09T23:27Z",
      "publishedDate": "2018-07-16T13:29Z"
    }
  }
}

FKIE_CVE-2017-2638

Vulnerability from fkie_nvd - Published: 2018-07-16 13:29 - Updated: 2024-11-21 03:23

Severity ?

6.5 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Summary

References

URL	Tags
secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2017-1097.html	Third Party Advisory
secalert@redhat.com	http://www.securityfocus.com/bid/97964	Third Party Advisory, VDB Entry
secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638	Issue Tracking, Patch, Third Party Advisory
secalert@redhat.com	https://github.com/infinispan/infinispan/pull/4936/commits	Patch, Third Party Advisory
secalert@redhat.com	https://issues.jboss.org/browse/ISPN-7485	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2017-1097.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/97964	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638	Issue Tracking, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/infinispan/infinispan/pull/4936/commits	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://issues.jboss.org/browse/ISPN-7485	Third Party Advisory

Impacted products

	Vendor	Product	Version
	infinispan	infinispan	*
	redhat	jboss_data_grid	7.1

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:infinispan:infinispan:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4A8499D5-3044-41F2-91D8-5B97521FD35A",
              "versionEndExcluding": "9.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_data_grid:7.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "E8912FC8-FAC1-4503-85F7-3231675450FE",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name."
    },
    {
      "lang": "es",
      "value": "Se ha descubierto que la API REST en Infinispan en versiones anteriores a la 9.0.0 no aplicaba correctamente las restricciones auth. Un atacante podr\u00eda emplear esta vulnerabilidad para leer o modificar datos en la cach\u00e9 por defecto o un nombre de cach\u00e9 conocido."
    }
  ],
  "id": "CVE-2017-2638",
  "lastModified": "2024-11-21T03:23:53.103",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 6.4,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.5,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.5,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-07-16T13:29:00.223",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2017-1097.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/97964"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/infinispan/infinispan/pull/4936/commits"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://issues.jboss.org/browse/ISPN-7485"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2017-1097.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/97964"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/infinispan/infinispan/pull/4936/commits"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://issues.jboss.org/browse/ISPN-7485"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-306"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CNVD-2017-06732

Vulnerability from cnvd - Published: 2017-05-16

Title

infinispan身份验证绕过漏洞

Description

infinispan是一个开源的分布式数据网格平台。 infinispan 9.0.0.Final之前的版本中存在身份验证绕过漏洞。攻击者可利用该漏洞绕过身份验证机制，获取敏感信息。

Severity

中

Patch Name

infinispan身份验证绕过漏洞的补丁

Patch Description

infinispan是一个开源的分布式数据网格平台。 infinispan 9.0.0.Final之前的版本中存在身份验证绕过漏洞。攻击者可利用该漏洞绕过身份验证机制，获取敏感信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： https://github.com/infinispan/infinispan/pull/4936

Reference

http://www.securityfocus.com/bid/97964

Impacted products

Name
infinispan infinispan <9.0.0.Final

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "97964"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-2638",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2638"
    }
  },
  "description": "infinispan\u662f\u4e00\u4e2a\u5f00\u6e90\u7684\u5206\u5e03\u5f0f\u6570\u636e\u7f51\u683c\u5e73\u53f0\u3002\r\n\r\ninfinispan 9.0.0.Final\u4e4b\u524d\u7684\u7248\u672c\u4e2d\u5b58\u5728\u8eab\u4efd\u9a8c\u8bc1\u7ed5\u8fc7\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u673a\u5236\uff0c\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002",
  "discovererName": "Jonathan Mason (Red Hat).",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/infinispan/infinispan/pull/4936",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-06732",
  "openTime": "2017-05-16",
  "patchDescription": "infinispan\u662f\u4e00\u4e2a\u5f00\u6e90\u7684\u5206\u5e03\u5f0f\u6570\u636e\u7f51\u683c\u5e73\u53f0\u3002\r\n\r\ninfinispan 9.0.0.Final\u4e4b\u524d\u7684\u7248\u672c\u4e2d\u5b58\u5728\u8eab\u4efd\u9a8c\u8bc1\u7ed5\u8fc7\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u673a\u5236\uff0c\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "infinispan\u8eab\u4efd\u9a8c\u8bc1\u7ed5\u8fc7\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "infinispan infinispan \u003c9.0.0.Final"
  },
  "referenceLink": "http://www.securityfocus.com/bid/97964",
  "serverity": "\u4e2d",
  "submitTime": "2017-04-27",
  "title": "infinispan\u8eab\u4efd\u9a8c\u8bc1\u7ed5\u8fc7\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2017-2638 (GCVE-0-2017-2638)

RHSA-2017:1097

RHSA-2017_1097

GHSA-MVXP-3J62-JQR6

GSD-2017-2638

FKIE_CVE-2017-2638

CNVD-2017-06732

Tags

Sightings

Nomenclature