CVE-2025-0736 — Infinispan vulnerable to Insertion of Sensitive Information into Log File

Description

A flaw was found in Infinispan, when using JGroups with JDBC_PING. This issue occurs when an application inadvertently exposes sensitive information, such as configuration details or credentials, through logging mechanisms. This exposure can lead to unauthorized access and exploitation by malicious actors.

How to fix CVE-2025-0736

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2025-0736 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 15.1.4.Final

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-0736
PATCHgithub.com/infinispan/infinispan
WEBaccess.redhat.com/errata/RHSA-2025:2663
WEBaccess.redhat.com/security/cve/CVE-2025-0736
WEBbugzilla.redhat.com