CVE-2020-25711
MEDIUMInfinispan < 11.0.6 - Missing Authorization for Server Management Operations
Title source: llmDescription
A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role.
References (2)
Core 2
Core References
Issue Tracking, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1897618
Third Party Advisory
https://security.netapp.com/advisory/ntap-20220210-0023/
Scores
CVSS v3
6.5
EPSS
0.0018
EPSS Percentile
39.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Details
CWE
CWE-862
Status
published
Products (4)
infinispan/infinispan
< 11.0.6
netapp/active_iq_unified_manager
(3 CPE variants)
org.infinispan/infinispan-core
0 - 11.0.6.FinalMaven
redhat/data_grid
8.0
Published
Dec 03, 2020
Tracked Since
Feb 18, 2026