It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.
[
{
"product": "infinispan",
"vendor": "Infinispan",
"versions": [
{
"status": "affected",
"version": "before 9.2.0.CR1"
}
]
}
]
www.securitytracker.com/id/1040360
access.redhat.com/errata/RHSA-2018:0294
access.redhat.com/errata/RHSA-2018:0478
access.redhat.com/errata/RHSA-2018:0479
access.redhat.com/errata/RHSA-2018:0480
access.redhat.com/errata/RHSA-2018:0481
access.redhat.com/errata/RHSA-2018:0501
access.redhat.com/errata/RHSA-2019:1326
github.com/infinispan/infinispan/pull/5639