CVE-2017-15089
HIGH8.8EPSS 1.8%Deserialization of Untrusted Data in Infinispan
發布日:2022/5/14修改日:2023/11/8
描述
It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.
受影響套件(1)
- Maven/org.infinispan:infinispan-corefrom 0, < 9.2.0.CR1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
參考連結(12)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-15089
- PATCHhttps://github.com/infinispan/infinispan
- WEBhttps://access.redhat.com/errata/RHSA-2018:0294
- WEBhttps://access.redhat.com/errata/RHSA-2018:0478
- WEBhttps://access.redhat.com/errata/RHSA-2018:0479
- WEBhttps://access.redhat.com/errata/RHSA-2018:0480
- WEBhttps://access.redhat.com/errata/RHSA-2018:0481
- WEBhttps://access.redhat.com/errata/RHSA-2018:0501
- WEBhttps://access.redhat.com/errata/RHSA-2019:1326
- WEBhttps://github.com/infinispan/infinispan/commit/1deadcb1c74ea0337abd5382c0150b000f6b106f
- WEBhttps://github.com/infinispan/infinispan/commit/2944b0d1369a230bde88392b222921537c99331e
- WEBhttps://github.com/infinispan/infinispan/pull/5639