CVE-2020-25711

A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role.

Published: Dec 3, 2020
Updated: May 9, 2024
CVE: CVE-2020-25711
GHSA: GHSA-8674-26jc-wh98
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CVSS v2:

Severity: Low
Score: 4.9
AV:N/AC:M/Au:S/C:N/I:P/A:P

CWEs:

CWE-862
CWE-269

Affected Software
References

Software	From	Fixed in
infinispan / infinispan	-	11.0.6
redhat / data_grid	8.0	8.0.x
org.infinispan / infinispan-core	-	11.0.6.Final

https://bugzilla.redhat.com/show_bug.cgi?id=1897618
https://security.netapp.com/advisory/ntap-20220210-0023/

Vulnerability Database

289,599

CVE-2020-25711