CVE-2023-3628: Infispan: rest bulk ops don't check permissions
First published: Tue Jun 27 2023(Updated: )
A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.infinispan:infinispan-server-rest | <14.0.18.Final | 14.0.18.Final |
| maven/org.infinispan:infinispan-server-rest | >=15.0.0.Dev01<15.0.0.Dev04 | 15.0.0.Dev04 |
| Red Hat JBoss Data Grid | ||
| JBoss Enterprise Application Platform | =6 | |
| Red Hat Data Grid | <8.4.4 | |
| Infinispan |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2023:5396
- https://bugzilla.redhat.com/show_bug.cgi?id=2217924
- https://access.redhat.com/security/cve/CVE-2023-3628
- https://nvd.nist.gov/vuln/detail/CVE-2023-3628
- https://security.netapp.com/advisory/ntap-20240125-0004
- https://github.com/infinispan/infinispan/commit/70a50352d9195753a588d0fba8c2063b99f96263
- https://github.com/infinispan/infinispan/commit/b34488dcab8bdd4258972568b8405ee7111276ec
- https://github.com/advisories/GHSA-fhr7-8jx4-r9cp (Advisory)
Frequently Asked Questions
What is the severity of CVE-2023-3628?
CVE-2023-3628 has been classified as a moderate severity vulnerability due to potential unauthorized information access.
How do I fix CVE-2023-3628?
To remediate CVE-2023-3628, update Infinispan to version 14.0.18.Final or 15.0.0.Dev04 or later.
What software is affected by CVE-2023-3628?
CVE-2023-3628 affects several versions of Infinispan, Red Hat JBoss Data Grid, and Red Hat JBoss Enterprise Application Platform.
Can CVE-2023-3628 be exploited remotely?
CVE-2023-3628 is not typically remotely exploitable, as it requires authenticated access to the REST bulk read endpoints.
What type of vulnerability is CVE-2023-3628?
CVE-2023-3628 is an authorization flaw that allows authenticated users to access data beyond their permitted scope.
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-3628
- agent/severity
- agent/weakness
- agent/description
- agent/title
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-fhr7-8jx4-r9cp
- agent/software-canonical-lookup
- agent/references
- agent/event
- agent/author
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-api
- package-manager/maven
- vendor/redhat
- canonical/red hat jboss data grid
- canonical/jboss enterprise application platform
- version/jboss enterprise application platform/6
- canonical/red hat data grid
- vendor/infinispan
- canonical/infinispan