Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain types of objects, achieving code execution and possible further attacks. Versions 9.0.3.Final, 9.1.7.Final, 8.2.10.Final, 9.2.2.Final, 9.3.0.Alpha1 are believed to be affected.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2018-1131 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS3 Base Score | 7.5 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
Attack Vector | Network |
Attack Complexity | High |
Privileges Required | Low |
User Interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity Impact | High |
Availability Impact | High |
Platform | Errata | Release Date |
---|---|---|
Red Hat JBoss Data Grid 7.2 | RHSA-2018:1833 | 2018-06-12 |
Platform | Package | State |
---|---|---|
Red Hat Single Sign-On 7 | infinispan | Affected |
Red Hat OpenShift Application Runtimes 1.0 | vertx | Affected |
Red Hat JBoss Operations Network 3 | infinispan | Under investigation |
Red Hat JBoss Fuse Service Works 6 | infinispan | Affected |
Red Hat JBoss Fuse 7 | camel | Affected |
Red Hat JBoss Fuse 6 | camel | Affected |
Red Hat JBoss EAP 7 | infinispan | Under investigation |
Red Hat JBoss EAP 6 | infinispan | Under investigation |
Red Hat JBoss Data Virtualization 6 | infinispan | Affected |