Lucene search

Redhat.comRH:CVE-2023-5384

HistoryDec 06, 2023 - 4:57 a.m.

CVE-2023-5384

2023-12-0604:57:39

redhat.com

access.redhat.com

infinispan

clear text exposure

cache configuration

serialized

xml

json

yaml

credentials

jdbc store

connection pooling

remote store

administrator permissions

datasource configuration.

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.1 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

29.9%

JSON

A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contains credentials (JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration.

Mitigation

The issue's impact is limited because only users with administrator permissions can retrieve the cache configurations, and the recommended approach for connecting via JDBC is using the datasource configuration, which does not expose the database credentials.

References

bugzilla.redhat.com/show_bug.cgi?id=2242156

nvd.nist.gov/vuln/detail/CVE-2023-5384

www.cve.org/CVERecord?id=CVE-2023-5384

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.1 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

29.9%

JSON

Related for RH:CVE-2023-5384