It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.
CPE | Name | Operator | Version |
---|---|---|---|
infinispan | eq | 9.2.0 cr1 | |
infinispan | eq | 9.2.0 beta2 | |
infinispan | eq | 9.2.0 beta1 | |
infinispan | eq | 9.2.0 alpha2 | |
infinispan | eq | 9.2.0 alpha1 | |
infinispan | le | 9.1.6 |
www.securitytracker.com/id/1040360
access.redhat.com/errata/RHSA-2018:0294
access.redhat.com/errata/RHSA-2018:0478
access.redhat.com/errata/RHSA-2018:0479
access.redhat.com/errata/RHSA-2018:0480
access.redhat.com/errata/RHSA-2018:0481
access.redhat.com/errata/RHSA-2018:0501
access.redhat.com/errata/RHSA-2019:1326
github.com/infinispan/infinispan/pull/5639