CVE-2023-5236

2023-12-1814:15:10

CWE-1047

redhat

web.nvd.nist.gov

infinispan

flaw

authenticated

denial of service

circular object references

nvd

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

21.3%

JSON

A flaw was found in Infinispan, which does not detect circular object references when unmarshalling. An authenticated attacker with sufficient permissions could insert a maliciously constructed object into the cache and use it to cause out of memory errors and achieve a denial of service.

Affected configurations

Nvd

Node

redhatdata_gridRange<8.4.4

Node

redhatjboss_data_gridMatch-text-only

Node

infinispaninfinispanMatch-

VendorProductVersionCPE
redhatdata_grid*cpe:2.3:a:redhat:data_grid:*:*:*:*:*:*:*:*
redhatjboss_data_grid-cpe:2.3:a:redhat:jboss_data_grid:-:*:*:*:text-only:*:*:*
infinispaninfinispan-cpe:2.3:a:infinispan:infinispan:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
redhat	data_grid	*	cpe:2.3:a:redhat:data_grid::::::::
redhat	jboss_data_grid	-	cpe:2.3:a:redhat:jboss_data_grid:-::::text-only:::
infinispan	infinispan	-	cpe:2.3:a:infinispan:infinispan:-:::::::*

CNA Affected

[
  {
    "vendor": "Red Hat",
    "product": "Red Hat Data Grid 8.4.4",
    "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/a:redhat:jboss_data_grid:8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Data Grid 8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "infinispan-server",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:jboss_data_grid:8"
    ]
  }
]