Lucene search

RedhatVULNRICHMENT:CVE-2023-5384

HistoryDec 18, 2023 - 1:43 p.m.

CVE-2023-5384 Infinispan: credentials returned from configuration as clear text

2023-12-1813:43:08

CWE-312

redhat

github.com

infinispan

credentials

clear text

configuration serialization

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

6.8

Confidence

Low

EPSS

0.001

Percentile

21.8%

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contains credentials (JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration.

References

access.redhat.com/errata/RHSA-2023:7676

access.redhat.com/security/cve/CVE-2023-5384

bugzilla.redhat.com/show_bug.cgi?id=2242156

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

6.8

Confidence

Low

EPSS

0.001

Percentile

21.8%

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

Related for VULNRICHMENT:CVE-2023-5384