CVE-2020-25711

A flaw was found in Infinispan 10's REST API where authorization permissions are not enforced for certain server management operations. When authorization is enabled, any authenticated user can perform sensitive operations without needing the ADMIN role [1]. The affected operations include server stop, cluster stop, server report, and cache ignore list manipulation [2].

An attacker with network access to the REST API endpoint and valid authentication credentials can exploit this flaw. No special privileges are required beyond basic authentication. The API accepts requests for these operations without checking if the user has the appropriate role [2].

Successful exploitation allows an attacker to shut down the server or cluster, potentially causing a denial of service. They can also trigger server reports or manipulate the cache ignore list, leading to information disclosure or data inconsistency [1].

The vulnerability affects the org.infinispan:infinispan-server-runtime artifact up to version 11.0.5.Final. Red Hat has addressed this issue in Infinispan 11.0.5.Final and later versions. Users should upgrade to a patched release or apply appropriate access controls to the REST API endpoint [2].