Search for packages
| purl | pkg:maven/org.infinispan/infinispan-core@8.2.10.Final |
| Next non-vulnerable version | 11.0.6.Final |
| Latest non-vulnerable version | 15.0.0.Dev07 |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-22at-v7he-fqek
Aliases: CVE-2017-15089 GHSA-46r5-59fg-2fjc |
Deserialization of Untrusted Data It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks. |
Affected by 3 other vulnerabilities. |
|
VCID-4tvk-jh8b-gffx
Aliases: CVE-2018-1131 GHSA-qqfc-m9hc-pqv3 |
Deserialization of Untrusted Data Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain types of objects, achieving code execution and possible further attacks. Versions 9.0.3.Final, 9.1.7.Final, 8.2.10.Final, 9.2.2.Final, 9.3.0.Alpha1 are believed to be affected. |
Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-f2rc-7h94-wyhb
Aliases: CVE-2020-25711 GHSA-8674-26jc-wh98 |
Missing Authorization A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role. |
Affected by 0 other vulnerabilities. |
|
VCID-gyhd-8wsj-gyac
Aliases: CVE-2019-10158 GHSA-6x3v-rw2q-9gx7 |
Improper implementation of the session fixation protection in Infinispan A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling. |
Affected by 3 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-x6xg-map7-abcg
Aliases: CVE-2019-10174 GHSA-h47x-2j37-fw5m |
Use of Externally-Controlled Input to Select Classes or Code in Infinispan A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application. |
Affected by 3 other vulnerabilities. Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||