CVE-2023-3629: Infinispan: non-admins should not be able to get cache config via rest api
First published: Tue Jun 27 2023(Updated: )
A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.infinispan:infinispan-server-rest | <14.0.18.Final | 14.0.18.Final |
| maven/org.infinispan:infinispan-server-rest | >=15.0.0.Dev01<15.0.0.Dev04 | 15.0.0.Dev04 |
| Red Hat Data Grid | <8.4.4 | |
| Red Hat JBoss Data Grid | ||
| JBoss Enterprise Application Platform | =6 | |
| Infinispan |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2023:5396
- https://bugzilla.redhat.com/show_bug.cgi?id=2217926
- https://access.redhat.com/security/cve/CVE-2023-3629
- https://nvd.nist.gov/vuln/detail/CVE-2023-3629
- https://security.netapp.com/advisory/ntap-20240125-0004
- https://github.com/infinispan/infinispan/commit/11b3cb0f7ba68b73dd32f655ff3f3df842a0c6bd
- https://github.com/infinispan/infinispan/commit/1e3cc542336d2f49743ab8176ed6f1175e034c59
- https://github.com/advisories/GHSA-r4w2-hjmr-36m7 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2023-3629?
CVE-2023-3629 is considered a moderate severity vulnerability due to improper permission checks in Infinispan's REST endpoints.
How do I fix CVE-2023-3629?
To remediate CVE-2023-3629, upgrade to Infinispan version 14.0.18.Final or 15.0.0.Dev04 or apply necessary patches as indicated by vendor advisories.
What impact does CVE-2023-3629 have on user access?
CVE-2023-3629 could allow authenticated users to access sensitive cache information that they should not have permission to view.
Which Infinispan versions are affected by CVE-2023-3629?
CVE-2023-3629 affects Infinispan versions prior to 14.0.18.Final and those between 15.0.0.Dev01 and 15.0.0.Dev04.
Is user authentication sufficient to protect against CVE-2023-3629?
No, user authentication alone is inadequate because the flaw allows authenticated users to bypass intended access controls.
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-3629
- agent/weakness
- agent/description
- agent/title
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-r4w2-hjmr-36m7
- agent/software-canonical-lookup
- agent/severity
- agent/references
- agent/event
- agent/author
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-api
- package-manager/maven
- vendor/redhat
- canonical/red hat data grid
- canonical/red hat jboss data grid
- canonical/jboss enterprise application platform
- version/jboss enterprise application platform/6
- vendor/infinispan
- canonical/infinispan