PT-2018-10472 · Red Hat · Infinispan

Chess Hazlett

Publicado

2018-05-15

Atualizado

2022-05-13

CVE-2018-1131

CVSS v3.1

8.8

Alta

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Infinispan versions 8.2.10.Final through 9.3.0.Alpha1

Description The issue allows for improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. An authenticated user could send a malicious object to a cache configured to accept specific types of objects, potentially achieving code execution and further attacks.

Recommendations For version 8.2.10.Final, update to a version that includes a fix for this issue. For version 9.0.3.Final, update to a version that includes a fix for this issue. For version 9.1.7.Final, update to a version that includes a fix for this issue. For version 9.2.2.Final, update to a version that includes a fix for this issue. For version 9.3.0.Alpha1, update to a version that includes a fix for this issue.

Correção

Deserialization of Untrusted Data

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-502CWE-349

Identificadores relacionados

CVE-2018-1131

GHSA-QQFC-M9HC-PQV3

Produtos afetados

Infinispan

PT-2018-10472 · Red Hat · Infinispan

CVE-2018-1131

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 8