CVE-2017-15089

It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.

Published: Feb 15, 2018
Updated: May 9, 2024
CVE: CVE-2017-15089
GHSA: GHSA-46r5-59fg-2fjc
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-502

OWASP TOP 10:

A8 - Insecure Deserialization

Affected Software
References

Software	From	Fixed in
infinispan / infinispan	9.2.0-cr1	9.2.0-cr1.x
infinispan / infinispan	9.2.0-beta2	9.2.0-beta2.x
infinispan / infinispan	9.2.0-beta1	9.2.0-beta1.x
infinispan / infinispan	9.2.0-alpha2	9.2.0-alpha2.x
infinispan / infinispan	9.2.0-alpha1	9.2.0-alpha1.x
infinispan / infinispan	-	9.1.6.x
org.infinispan / infinispan-core	-	9.2.0.CR1

http://www.securitytracker.com/id/1040360
https://access.redhat.com/errata/RHSA-2018:0294
https://access.redhat.com/errata/RHSA-2018:0478
https://access.redhat.com/errata/RHSA-2018:0479
https://access.redhat.com/errata/RHSA-2018:0480
https://access.redhat.com/errata/RHSA-2018:0481
https://access.redhat.com/errata/RHSA-2018:0501
https://access.redhat.com/errata/RHSA-2019:1326
https://github.com/infinispan/infinispan/pull/5639

Vulnerability Database

289,599

CVE-2017-15089