PT-2018-10472 · Red Hat · Infinispan

Chess Hazlett

Published

2018-05-15

Updated

2022-05-13

CVE-2018-1131

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Infinispan versions 8.2.10.Final through 9.3.0.Alpha1

Description The issue allows for improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. An authenticated user could send a malicious object to a cache configured to accept specific types of objects, potentially achieving code execution and further attacks.

Recommendations For version 8.2.10.Final, update to a version that includes a fix for this issue. For version 9.0.3.Final, update to a version that includes a fix for this issue. For version 9.1.7.Final, update to a version that includes a fix for this issue. For version 9.2.2.Final, update to a version that includes a fix for this issue. For version 9.3.0.Alpha1, update to a version that includes a fix for this issue.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-349

Related Identifiers

CVE-2018-1131

GHSA-QQFC-M9HC-PQV3

Affected Products

Infinispan

PT-2018-10472 · Red Hat · Infinispan

CVE-2018-1131

Weakness Enumeration

Related Identifiers

Affected Products

References · 8