CVE-2017-15089
HIGH8.8EPSS 1.8%Deserialization of Untrusted Data in Infinispan
Published: 5/14/2022Modified: 11/8/2023
Description
It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.
Affected packages (1)
- Maven/org.infinispan:infinispan-corefrom 0, < 9.2.0.CR1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References (12)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-15089
- PATCHhttps://github.com/infinispan/infinispan
- WEBhttps://access.redhat.com/errata/RHSA-2018:0294
- WEBhttps://access.redhat.com/errata/RHSA-2018:0478
- WEBhttps://access.redhat.com/errata/RHSA-2018:0479
- WEBhttps://access.redhat.com/errata/RHSA-2018:0480
- WEBhttps://access.redhat.com/errata/RHSA-2018:0481
- WEBhttps://access.redhat.com/errata/RHSA-2018:0501
- WEBhttps://access.redhat.com/errata/RHSA-2019:1326
- WEBhttps://github.com/infinispan/infinispan/commit/1deadcb1c74ea0337abd5382c0150b000f6b106f
- WEBhttps://github.com/infinispan/infinispan/commit/2944b0d1369a230bde88392b222921537c99331e
- WEBhttps://github.com/infinispan/infinispan/pull/5639