Infinispan

Infinispan

12 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5.5

CVE-2025-5731

  • EPSS 0.02%
  • Published 26.06.2025 21:28:59
  • Last modified 02.09.2025 18:04:30

A flaw was found in Infinispan CLI. A sensitive password, decoded from a Base64-encoded Kubernetes secret, is processed in plaintext and included in a command string that may expose the data in an error message when a command is not found.

2.7

CVE-2023-5384

  • EPSS 0.17%
  • Published 18.12.2023 14:15:11
  • Last modified 21.11.2024 08:41:39

A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contains credentials (JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration.

6.5

CVE-2023-5236

  • EPSS 0.1%
  • Published 18.12.2023 14:15:10
  • Last modified 25.09.2025 09:15:29

A flaw was found in Infinispan, which does not detect circular object references when unmarshalling. An authenticated attacker with sufficient permissions could insert a maliciously constructed object into the cache and use it to cause out of memory ...

6.5

CVE-2023-3628

  • EPSS 0.12%
  • Published 18.12.2023 14:15:08
  • Last modified 21.11.2024 08:17:42

A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.

6.5

CVE-2023-3629

  • EPSS 0.08%
  • Published 18.12.2023 14:15:08
  • Last modified 21.11.2024 08:17:42

A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.

6.5

CVE-2020-25711

  • EPSS 0.18%
  • Published 03.12.2020 17:15:12
  • Last modified 21.11.2024 05:18:32

A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server w...

9.8

CVE-2019-10158

  • EPSS 0.51%
  • Published 02.01.2020 15:15:11
  • Last modified 21.11.2024 04:18:32

A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling.

8.8

CVE-2019-10174

  • EPSS 1.04%
  • Published 25.11.2019 11:15:10
  • Last modified 21.11.2024 04:18:34

A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to in...

8.8

CVE-2016-0750

  • EPSS 0.69%
  • Published 11.09.2018 13:29:00
  • Last modified 21.11.2024 02:42:18

The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code executi...

6.5

CVE-2017-2638

  • EPSS 0.5%
  • Published 16.07.2018 13:29:00
  • Last modified 21.11.2024 03:23:53

It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.