Jboss Data Grid
CVE-2023-3628
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 9 maven packages depend on org.infinispan:infinispan-server-rest (3 direct, 6 indirect)
Ecosystem-wide dependent count for version 15.0.0.Dev01.
DescriptionNVD
A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.
AnalysisAI
A flaw was found in Infinispan's REST. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-304. A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions. Affected products include: Redhat Jboss Data Grid, Redhat Jboss Enterprise Application Platform, Redhat Data Grid, Infinispan.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Jboss Data Grid
View allJMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Lo
A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in
A vulnerability was found in Hibernate-Validator. Rated medium severity (CVSS 6.1), this vulnerability is remotely explo
A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. Rated critical severi
A vulnerability was found in Undertow web server before 2.0.21. Rated critical severity (CVSS 9.8), this vulnerability i
handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers t
An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. Rated high severity (CVSS 8.8), this vulner
A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allow
Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurat
A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x
A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes an HTTP session. Rate
undertow before version 2.0.23.Final is vulnerable to an information leak issue. Rated high severity (CVSS 7.5), this vu
Same weakness CWE-304 – Missing Critical Step in Authentication
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today