Lucene search

RedhatCVELIST:CVE-2023-5236

HistoryDec 18, 2023 - 1:43 p.m.

CVE-2023-5236 Infinispan: circular reference on marshalling leads to dos

2023-12-1813:43:08

CWE-1047

redhat

www.cve.org

infinispan

circular reference

marshalling

dos

authenticated attacker

cache

out of memory

denial of service

4.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

26.8%

JSON

A flaw was found in Infinispan, which does not detect circular object references when unmarshalling. An authenticated attacker with sufficient permissions could insert a maliciously constructed object into the cache and use it to cause out of memory errors and achieve a denial of service.

CNA Affected

[
  {
    "vendor": "Red Hat",
    "product": "Red Hat Data Grid 8.4.4",
    "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/a:redhat:jboss_data_grid:8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Data Grid 8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "infinispan-server",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:jboss_data_grid:8"
    ]
  }
]

References

access.redhat.com/errata/RHSA-2023:5396

access.redhat.com/security/cve/CVE-2023-5236

bugzilla.redhat.com/show_bug.cgi?id=2240999

security.netapp.com/advisory/ntap-20240125-0004/

4.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

26.8%

JSON

Related for CVELIST:CVE-2023-5236