CVE-2017-2638
MEDIUMInfinispan < 9.0.0 - Unauthenticated Data Access via REST API
Title source: llmDescription
It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.
References (5)
Core 5
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638
Third Party Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-1097.html
Third Party Advisory x_refsource_confirm
https://issues.jboss.org/browse/ISPN-7485
Patch, Third Party Advisory x_refsource_confirm
https://github.com/infinispan/infinispan/pull/4936/commits
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/97964
Scores
CVSS v3
6.5
EPSS
0.0156
EPSS Percentile
72.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Details
CWE
CWE-287
CWE-306
Status
published
Products (3)
infinispan/infinispan
< 9.0.0
org.infinispan/infinispan-server-core
0 - 9.0.0Maven
redhat/jboss_data_grid
7.1
Published
Jul 16, 2018
Tracked Since
Feb 18, 2026