Maven package
org.infinispan/infinispan-core
pkg:maven/org.infinispan/infinispan-core
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-5384 | — | >= 15.0.0.Dev01, < 15.0.0.Dev07 | 15.0.0.Dev07 | Dec 18, 2023 | A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contains credentials (JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration. | ||
| CVE-2020-25711 | — | < 11.0.6.Final | 11.0.6.Final | Dec 3, 2020 | A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role. | ||
| CVE-2019-10158 | — | < 9.4.15.Final | 9.4.15.Final | Jan 2, 2020 | A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling. | ||
| CVE-2019-10174 | — | < 8.2.12.Final | 8.2.12.Final | Nov 25, 2019 | A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavio | ||
| CVE-2018-1131 | — | — | — | May 15, 2018 | Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain types of objects, achieving code exec | ||
| CVE-2017-15089 | — | < 9.2.0.CR1 | 9.2.0.CR1 | Feb 15, 2018 | It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct fur |
- CVE-2023-5384Dec 18, 2023affected >= 15.0.0.Dev01, < 15.0.0.Dev07fixed 15.0.0.Dev07
A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contains credentials (JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration.
- CVE-2020-25711Dec 3, 2020affected < 11.0.6.Finalfixed 11.0.6.Final
A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role.
- CVE-2019-10158Jan 2, 2020affected < 9.4.15.Finalfixed 9.4.15.Final
A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling.
- CVE-2019-10174Nov 25, 2019affected < 8.2.12.Finalfixed 8.2.12.Final
A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavio
- CVE-2018-1131May 15, 2018
Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain types of objects, achieving code exec
- CVE-2017-15089Feb 15, 2018affected < 9.2.0.CR1fixed 9.2.0.CR1
It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct fur