High severityNVD Advisory· Published Dec 18, 2023· Updated Nov 7, 2025

Infispan: rest bulk ops don't check permissions

CVE-2023-3628

Description

Authenticated Infinispan users can bypass permission checks on REST bulk read endpoints to access data outside their intended scope.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated Infinispan users can bypass permission checks on REST bulk read endpoints to access data outside their intended scope.

Root

Cause CVE-2023-3628 is a permission bypass vulnerability in Infinispan's REST API. The streamKeys and streamEntries methods in the REST resource handler did not perform authorization checks before returning bulk data. Specifically, the code path for keys() and entries() HTTP endpoints lacked a call to AuthorizationManager.checkPermission(AuthorizationPermission.BULK_READ), allowing any authenticated user to invoke these operations without verifying they hold the required BULK_READ permission [1][4].

Attack

Vector The vulnerability is exploitable over the network by any authenticated user with access to the Infinispan REST API. No special privileges are required beyond authentication. The attacker sends a request to the vulnerable bulk read endpoints (/rest/v2/caches/{cacheName}/keys or /rest/v2/caches/{cacheName}/entries) using their existing session. Because the server fails to enforce the BULK_READ permission, the request succeeds even if the user's role only grants READ or WRITE access to individual entries [2][4].

Impact

A successful exploit allows an authenticated attacker to enumerate all keys and retrieve all entries stored in a cache, including data the user should not be able to access. This exposes potentially sensitive information to users with limited privileges, breaking the intended authorization model. The issue is rated as Moderate severity, as it requires authentication but can lead to broad information disclosure within the cache [1][2].

Mitigation

Red Hat released a security update for Red Hat Data Grid 8.4.4 (RHSA-2023:5396) that addresses CVE-2023-3628 [3]. The fix was committed to the upstream Infinispan repository in commit b34488dcab8bdd4258972568b8405ee7111276ec, which adds the missing authorization checks before executing bulk read operations [4]. Users are advised to update to the patched version. No workarounds have been documented.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.infinispan:infinispan-server-restMaven	>= 15.0.0.Dev01, < 15.0.0.Dev04	15.0.0.Dev04
org.infinispan:infinispan-server-restMaven	< 14.0.18.Final	14.0.18.Final

Affected products

Red Hat/Red Hat Data Grid 8.4.4v5
cpe:/a:redhat:jboss_data_grid:8
Red Hat/Jboss Enterprise Application Platformcpe-rescue
cpe:/a:redhat:jboss_enterprise_application_platform:6
osv-coords13 versions
pkg:apk/chainguard/infinispan-15.0 pkg:apk/chainguard/infinispan-15.0-compat pkg:apk/chainguard/infinispan-15.0-images pkg:apk/chainguard/infinispan-15.1 pkg:apk/chainguard/infinispan-15.1-compat pkg:apk/chainguard/infinispan-15.1-images pkg:apk/chainguard/infinispan-15.2 pkg:apk/chainguard/infinispan-15.2-compat pkg:apk/chainguard/infinispan-15.2-images pkg:apk/wolfi/infinispan-15.2 pkg:apk/wolfi/infinispan-15.2-compat pkg:apk/wolfi/infinispan-15.2-images pkg:maven/org.infinispan/infinispan-server-rest
< 15.0.21-r1+ 12 more
- (no CPE)range: < 15.0.21-r1
- (no CPE)range: < 15.0.21-r1
- (no CPE)range: < 15.0.21-r1
- (no CPE)range: < 15.1.7-r3
- (no CPE)range: < 15.1.7-r3
- (no CPE)range: < 15.1.7-r3
- (no CPE)range: < 15.2.6-r1
- (no CPE)range: < 15.2.6-r1
- (no CPE)range: < 15.2.6-r1
- (no CPE)range: < 15.2.6-r1
- (no CPE)range: < 15.2.6-r1
- (no CPE)range: < 15.2.6-r1
- (no CPE)range: >= 15.0.0.Dev01, < 15.0.0.Dev04

Patches

70a50352d919

ISPN-14985 CVE-2023-3628 Check bulk read permissions for REST keys/entries

https://github.com/infinispan/infinispanTristan TarrantAug 9, 2023via ghsa

commit

2 files changed · +11 −0

server/rest/src/main/java/org/infinispan/rest/resources/CacheResourceV2.java+9 −0 modified

@@ -429,6 +429,10 @@ private CompletionStage<RestResponse> streamKeys(RestRequest request) {
       AdvancedCache<Object, ?> cache = invocationHelper.getRestCacheManager().getCache(cacheName, TEXT_PLAIN, MATCH_ALL, request);
       if (cache == null)
          return invocationHelper.newResponse(request, NOT_FOUND).toFuture();
+      AuthorizationManager authorizationManager = SecurityActions.getCacheAuthorizationManager(cache);
+      if (authorizationManager != null) {
+         authorizationManager.checkPermission(AuthorizationPermission.BULK_READ);
+      }
 
       NettyRestResponse.Builder responseBuilder = invocationHelper.newResponse(request);
 
@@ -464,6 +468,11 @@ private CompletionStage<RestResponse> streamEntries(RestRequest request) {
       AdvancedCache<?, ?> cache = invocationHelper.getRestCacheManager().getCache(cacheName, request).getAdvancedCache();
       if (cache == null) return invocationHelper.newResponse(request, NOT_FOUND).toFuture();
 
+      AuthorizationManager authorizationManager = SecurityActions.getCacheAuthorizationManager(cache);
+      if (authorizationManager != null) {
+         authorizationManager.checkPermission(AuthorizationPermission.BULK_READ);
+      }
+
       final MediaType keyMediaType = getMediaType(negotiate, cache, true);
       final MediaType valueMediaType = getMediaType(negotiate, cache, false);

server/tests/src/test/java/org/infinispan/server/security/authorization/AbstractAuthorization.java+2 −0 modified

@@ -359,6 +359,8 @@ private void testRestWriterCannotRead(String... explicitRoles) {
       RestCacheClient writerCache = getServerTest().rest().withClientConfiguration(restBuilders.get(TestUser.WRITER)).get().cache(getServerTest().getMethodName());
       sync(writerCache.put("k1", "v1"));
       assertStatus(FORBIDDEN, writerCache.get("k1"));
+      assertStatus(FORBIDDEN, writerCache.keys());
+      assertStatus(FORBIDDEN, writerCache.entries());
       for (TestUser user : EnumSet.of(TestUser.OBSERVER, TestUser.DEPLOYER)) {
          RestCacheClient userCache = getServerTest().rest().withClientConfiguration(restBuilders.get(user)).get().cache(getServerTest().getMethodName());
          assertEquals("v1", sync(userCache.get("k1")).getBody());

b34488dcab8b

ISPN-14985 CVE-2023-3628 Check bulk read permissions for REST keys/entries

https://github.com/infinispan/infinispanTristan TarrantAug 9, 2023via ghsa

commit

2 files changed · +11 −0

server/rest/src/main/java/org/infinispan/rest/resources/CacheResourceV2.java+9 −0 modified

@@ -442,6 +442,10 @@ private CompletionStage<RestResponse> streamKeys(RestRequest request) {
       AdvancedCache<Object, ?> cache = invocationHelper.getRestCacheManager().getCache(cacheName, TEXT_PLAIN, MATCH_ALL, request);
       if (cache == null)
          return invocationHelper.newResponse(request, NOT_FOUND).toFuture();
+      AuthorizationManager authorizationManager = SecurityActions.getCacheAuthorizationManager(cache);
+      if (authorizationManager != null) {
+         authorizationManager.checkPermission(AuthorizationPermission.BULK_READ);
+      }
 
       NettyRestResponse.Builder responseBuilder = invocationHelper.newResponse(request);
 
@@ -477,6 +481,11 @@ private CompletionStage<RestResponse> streamEntries(RestRequest request) {
       AdvancedCache<?, ?> cache = invocationHelper.getRestCacheManager().getCache(cacheName, request).getAdvancedCache();
       if (cache == null) return invocationHelper.newResponse(request, NOT_FOUND).toFuture();
 
+      AuthorizationManager authorizationManager = SecurityActions.getCacheAuthorizationManager(cache);
+      if (authorizationManager != null) {
+         authorizationManager.checkPermission(AuthorizationPermission.BULK_READ);
+      }
+
       final MediaType keyMediaType = getMediaType(negotiate, cache, true);
       final MediaType valueMediaType = getMediaType(negotiate, cache, false);

server/tests/src/test/java/org/infinispan/server/security/authorization/RESTAuthorizationTest.java+2 −0 modified

@@ -205,6 +205,8 @@ private void testRestWriterCannotRead(String... explicitRoles) {
             .cache(ext.getMethodName());
       assertStatus(NO_CONTENT, writerCache.put("k1", "v1"));
       assertStatus(FORBIDDEN, writerCache.get("k1"));
+      assertStatus(FORBIDDEN, writerCache.keys());
+      assertStatus(FORBIDDEN, writerCache.entries());
       for (TestUser user : EnumSet.of(TestUser.OBSERVER, TestUser.DEPLOYER)) {
          RestCacheClient userCache = ext.rest().withClientConfiguration(restBuilders.get(user)).get()
                .cache(ext.getMethodName());

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

access.redhat.com/errata/RHSA-2023:5396ghsavendor-advisoryx_refsource_REDHATWEB
github.com/advisories/GHSA-fhr7-8jx4-r9cpghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-3628ghsaADVISORY
access.redhat.com/security/cve/CVE-2023-3628ghsavdb-entryx_refsource_REDHATWEB
bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
github.com/infinispan/infinispan/commit/70a50352d9195753a588d0fba8c2063b99f96263ghsaWEB
github.com/infinispan/infinispan/commit/b34488dcab8bdd4258972568b8405ee7111276ecghsaWEB
security.netapp.com/advisory/ntap-20240125-0004ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000