First published: Wed Jan 20 2016(Updated: )
It was discovered that the hotrod java client in infinispan automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks. code link: <a href="https://github.com/infinispan/infinispan/blob/master/client/hotrod-client/src/main/java/org/infinispan/client/hotrod/marshall/MarshallerUtil.java#L39">https://github.com/infinispan/infinispan/blob/master/client/hotrod-client/src/main/java/org/infinispan/client/hotrod/marshall/MarshallerUtil.java#L39</a>
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Infinispan Infinispan | <9.1.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.