CVE-2018-1131
HIGHInfinispan - Authenticated Remote Code Execution via XML and JSON Transcoders
Title source: llmDescription
Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain types of objects, achieving code execution and possible further attacks. Versions 9.0.3.Final, 9.1.7.Final, 8.2.10.Final, 9.2.2.Final, 9.3.0.Alpha1 are believed to be affected.
References (4)
Core 4
Core References
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1576492
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/104218
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1833
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3892
Scores
CVSS v3
8.8
EPSS
0.0127
EPSS Percentile
66.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-349
CWE-502
Status
published
Products (7)
infinispan/infinispan
8.2.10
infinispan/infinispan
9.0.3
infinispan/infinispan
9.1.7
infinispan/infinispan
9.2.2
infinispan/infinispan
9.3.0 alpha1
org.infinispan/infinispan-core
Maven
redhat/jboss_data_grid
7.2
Published
May 15, 2018
Tracked Since
Feb 18, 2026