CVE-2017-15089

HIGH

Infinispan < 9.1.6 - Insecure Deserialization

Title source: rule

Description

It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.

References (9)

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1040360

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2018:0294

[Patch, Third Party Advisory] https://github.com/infinispan/infinispan/pull/5639

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2018:0478

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2018:0479

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2018:0480

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2018:0481

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2018:0501

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2019:1326

Scores

CVSS v3 8.8

EPSS 0.0184

EPSS Percentile 82.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (7)

infinispan/infinispan < 9.1.6

infinispan/infinispan

infinispan/infinispan

infinispan/infinispan

infinispan/infinispan

infinispan/infinispan

org.infinispan/infinispan-core < 9.2.0.CR1Maven

Timeline

Published Feb 15, 2018

Tracked Since Feb 18, 2026