CVE-2023-3628
MEDIUM6.5EPSS 0.09%Infinispan REST Server's bulk read endpoints do not properly evaluate user permissions
Published: 12/30/2023Modified: 2/4/2026
Description
A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.
Affected packages (1)
- Maven/org.infinispan:infinispan-server-rest>= 15.0.0.Dev01, < 15.0.0.Dev04
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-3628
- PATCHhttps://github.com/infinispan/infinispan
- WEBhttps://access.redhat.com/errata/RHSA-2023:5396
- WEBhttps://access.redhat.com/security/cve/CVE-2023-3628
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=2217924
- WEBhttps://github.com/infinispan/infinispan/commit/70a50352d9195753a588d0fba8c2063b99f96263
- WEBhttps://github.com/infinispan/infinispan/commit/b34488dcab8bdd4258972568b8405ee7111276ec
- WEBhttps://security.netapp.com/advisory/ntap-20240125-0004