CVE-2020-10746

2020-10-1920:42:17

CWE-862

redhat

www.cve.org

infinispan

local access

rest

hotrod

unauthorized operations

caches

AI Score

Confidence

High

EPSS

Percentile

12.6%

JSON

A flaw was found in Infinispan (org.infinispan:infinispan-server-runtime) version 10, where it permits local access to controls via both REST and HotRod APIs. This flaw allows a user authenticated to the local machine to perform all operations on the caches, including the creation, update, deletion, and shutdown of the entire server.

CNA Affected

[
  {
    "product": "Infinispan",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Infinispan 11.0.0"
      }
    ]
  }
]

References

bugzilla.redhat.com/show_bug.cgi?id=1835922