Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-1131

Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain types of objects, achieving code execution and possible further attacks. Versions 9.0.3.Final, 9.1.7.Final, 8.2.10.Final, 9.2.2.Final, 9.3.0.Alpha1 are believed to be affected.

Published

2018-05-15T13:29:00.213

Last Modified

2024-11-21T03:59:15.393

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 8.8 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

  • Access Vector: NETWORK
  • Access Complexity: LOW
  • Authentication: SINGLE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: PARTIAL
  • Availability Impact: PARTIAL
Exploitability Score

8.0

Impact Score

6.4

Weaknesses
  • Type: Secondary
    CWE-349
  • Type: Primary
    CWE-502
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application infinispan infinispan 8.2.10 Yes
Application infinispan infinispan 9.0.3 Yes
Application infinispan infinispan 9.1.7 Yes
Application infinispan infinispan 9.2.2 Yes
Application infinispan infinispan 9.3.0 Yes
Application redhat jboss_data_grid 7.2 Yes
References