CVE-2016-0750

EPSS 0.69%
Published 11.09.2018 13:29:00
Last modified 21.11.2024 02:42:18
Source secalert@redhat.com
Teams watchlist Login
Open Login

The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks.

Affected products Warnungen 0 Metrics 4 CWE 2 References 9

Data is provided by the National Vulnerability Database (NVD)

Infinispan ≫ Infinispan Version < 9.1.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.69%	0.708

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P
secalert@redhat.com	4.2	1.6	2.5	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE-138 Improper Neutralization of Special Elements

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://access.redhat.com/errata/RHSA-2017:3244

Vendor Advisory

https://access.redhat.com/errata/RHSA-2018:0501

Vendor Advisory

http://www.securityfocus.com/bid/101910

Third Party Advisory

VDB Entry

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0750

Vendor Advisory

Issue Tracking