Vulnerability Description
It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Infinispan | Infinispan | <= 9.1.6 |
Related Weaknesses (CWE)
References
- http://www.securitytracker.com/id/1040360Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2018:0294Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:0478
- https://access.redhat.com/errata/RHSA-2018:0479
- https://access.redhat.com/errata/RHSA-2018:0480
- https://access.redhat.com/errata/RHSA-2018:0481
- https://access.redhat.com/errata/RHSA-2018:0501
- https://access.redhat.com/errata/RHSA-2019:1326
- https://github.com/infinispan/infinispan/pull/5639PatchThird Party Advisory
- http://www.securitytracker.com/id/1040360Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2018:0294Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:0478
- https://access.redhat.com/errata/RHSA-2018:0479
- https://access.redhat.com/errata/RHSA-2018:0480
- https://access.redhat.com/errata/RHSA-2018:0481
FAQ
What is CVE-2017-15089?
CVE-2017-15089 is a vulnerability with a CVSS score of 8.8 (HIGH). It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into t...
How severe is CVE-2017-15089?
CVE-2017-15089 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-15089?
Check the references section above for vendor advisories and patch information. Affected products include: Infinispan Infinispan.