8.8

CVE-2016-0750

The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
InfinispanInfinispan Version < 9.1.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.4% 0.818
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 6.5 8 6.4
AV:N/AC:L/Au:S/C:P/I:P/A:P
secalert@redhat.com 4.2 1.6 2.5
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
CWE-138 Improper Neutralization of Special Elements

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://access.redhat.com/errata/RHSA-2017:3244
Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:0501
Vendor Advisory
http://www.securityfocus.com/bid/101910
Third Party Advisory
VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0750
Vendor Advisory
Issue Tracking
https://github.com/infinispan/infinispan/pull/5116
Patch
Vendor Advisory
https://issues.jboss.org/browse/ISPN-7781
Third Party Advisory
Issue Tracking